MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faf644936518d08844480041214802d01dfc60dd3384110a7fc9b8e3ea5eac77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faf644936518d08844480041214802d01dfc60dd3384110a7fc9b8e3ea5eac77
SHA3-384 hash: d7995578c4ed01c9952a912e731c7de4b69481260b8ba2b874c153d8f47b1f19f5642d68a2cdc9fbc8eb97a2f95c8f25
SHA1 hash: c33b8ce7aac2d4a5c71a19a1159f1bf8f4f961a5
MD5 hash: 4c1768ccaf19b1a209b52ea9de070972
humanhash: zebra-winner-virginia-mango
File name:Machinery Technology & Engineering solicitud de presupuesto.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:837'632 bytes
First seen:2021-05-05 15:26:26 UTC
Last seen:2021-05-05 16:02:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gmtkfC3/x9gpNf4c3djuaLNEdjuTt8/LKNZSMDydlfeTSv8eOeO7rgRwKAIKchrO:NvgvfLjTKKaM8YSv8eOe37scd1Gm9
Threatray 4'512 similar samples on MalwareBazaar
TLSH 9F05127863559792E93F0B7D29BCC0042BB8BB2681A3E70E6FC075BB4F773518621661
Reporter abuse_ch
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150733/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.624-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/faf644936518d08844480041214802d01dfc60dd3384110a7fc9b8e3ea5eac77/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 15:27:05 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7l3eje3fddiiqrciabascsac2ao7yyg5gocbcct7zg4oh2s6vr3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17a2998f5870ffefaeba81c40cff6e3505e01c5895df2f602ff1cb628d46949a
AgentTesla
44bae203dedf4da34c0a883f5f393cdf28853c34f84cabd3287758a23a9ef88d
AgentTesla
4bc5afb7fa8639008d294a8afb8f42531bfcf084398600500bdc81533602c760
AgentTesla
6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f
AgentTesla
70bba7ae7db7a571dde9f6e9adad50a1b4fb32b8757f5d6cebb3d73b833644f6
AgentTesla
8646878e9ab3b25410174a6f7926aed70396cff1d34c3a7725470a6c014ff734
AgentTesla
b2b6eff8a6c60704b212b98e6eb03be8bd26e1dc3bd8b6f28774bd6a52badb6d
AgentTesla
b490bfd0e2a245e5ba7a9d4af2f95a36c9db109856c1187b16a44dd6fe172c88
AgentTesla
f5e0c3bfd23d86f0cdef681b4922c59e77fb094bacd29add988ff6c9a30d850b
AgentTesla
f74cdb3b1d0e2e2959326ae6d3c24b8dd1b74fee0258b96ae8a6b69a8c6efcff
AgentTesla
+ 4'502 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210505-bg5ydrbz7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1792556679:AAFHsf5h-jz26V9shE3tQzOepC3Xy8pqefA/sendDocument
Unpacked files
SH256 hash:
bdf79e57b5574f9bafb56f6d0592f5ee429df7eb0ad536fbdb4f2956aae36f87
MD5 hash:
826b29e2a141b055a5491c9d7dc6eea7
SHA1 hash:
af4201362b8603bf7e4b6e2ead1cfb610dd7c0a9
Link:
https://www.unpac.me/results/93e1b8dd-53eb-462b-91cb-517b0507ad04/
SH256 hash:
faf644936518d08844480041214802d01dfc60dd3384110a7fc9b8e3ea5eac77
MD5 hash:
4c1768ccaf19b1a209b52ea9de070972
SHA1 hash:
c33b8ce7aac2d4a5c71a19a1159f1bf8f4f961a5
Link:
https://www.unpac.me/results/93e1b8dd-53eb-462b-91cb-517b0507ad04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/faf644936518d08844480041214802d01dfc60dd3384110a7fc9b8e3ea5eac77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150733/

Comments