MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb36eae3bb16b34bb057bbe330f5e13ed0bd8158915ec3cb9b1e694273672402. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	fb36eae3bb16b34bb057bbe330f5e13ed0bd8158915ec3cb9b1e694273672402
SHA3-384 hash:	84b0f9c8f12820efe491583c58270f666cc5bb854680f534291a87b3f049761926e5370210922de2203f50b12c524626
SHA1 hash:	89dc6856be3b2174fecc9a15e57e6d33d7fde6c8
MD5 hash:	e2477f3f43d7fa5b8f1ffa0352c7f100
humanhash:	monkey-orange-kitten-nineteen
File name:	FedEx_Shipment_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'295'360 bytes
First seen:	2021-07-12 13:23:59 UTC
Last seen:	2021-07-13 12:39:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep	24576:zTrjgTb9f//xTr5tdWp29sk76g0n5f9l6PIYpbjb6kK:jjUbNHxTrAHD5FcxbHY
Threatray	6'592 similar samples on MalwareBazaar
TLSH	T13955CF9D3254B2DFC86BDD76CA681C64EA6078B7430BD247A05716ACDE0D99BCF180F2
Reporter	info_sec_ca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FedEx_Shipment_pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-07-12 13:27:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a485c0e6-6fd4-4299-a28b-ec7048582815

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/171112/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.924.11567.7292.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e397fd81-b326-4f13-b314-8cfdd37f8f4e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/814879

Signature

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fb36eae3bb16b34bb057bbe330f5e13ed0bd8158915ec3cb9b1e694273672402/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-12 10:30:43 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

298580b2b60cd18e7ac66ca75c0105309efc31478451ba1f338ff293af6b7e02

AgentTesla

3280a97200b04ee7c4269d468acdde031570d46d59b7991948c22fcf9fbf4773

AgentTesla

51ca9453d5b45f1def4745ce3126dcf3e6b7d6a6b9ed39aa8a68c4c68d17ac4d

AgentTesla

542200906b6fd1d7cbf92964d984d66eb7566451cb68851ab9ddd8761fe68def

AgentTesla

611a2dfac3989c66b10815fe8d6a81d92554e0ce47ec3d5b6bdd7c91c4163a7e

AgentTesla

a8c94f8fc9b5c2a0cd3da68122fc36b28a7b990ace2f238961742245ece50ed5

AgentTesla

c65dd45fb74c07111e2af32a6fae4aa6c8035950f0fe2b4a162db0439f85beb1

AgentTesla

c66e48dadd79b9773eb9bf426d9f57760bad3711df997bde60ebc3895cf68147

AgentTesla

df730a5c1462ced883e78b64dbb7d34c7687b3e0b20914559a87a3719496818f

AgentTesla

+ 6'582 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210712-xxk85sp9aa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4

MD5 hash:

b0e14c3526d6623ae9b7b5f5e0efde76

SHA1 hash:

f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc

Link:

https://www.unpac.me/results/23497fd8-e317-49a1-a6b6-1b963a416460/

SH256 hash:

c924488db2adc689d14a86a71167dce3c76fa9827399aaca79f5ec6d7924283d

MD5 hash:

4ab10fa087aca52b0e3a1e2032e18c1b

SHA1 hash:

a8720196d80c0d3a304e1243abadae4686b1e18d

Link:

https://www.unpac.me/results/23497fd8-e317-49a1-a6b6-1b963a416460/

SH256 hash:

4c61613bd30302f9c59edeb74815a553c5a575997be10f3771aa9ce5a10a5c1d

MD5 hash:

935987db4d3243cc90c8aabda92b5617

SHA1 hash:

39c4000cec83791d5086842a41222ec8ee8c925a

Link:

https://www.unpac.me/results/23497fd8-e317-49a1-a6b6-1b963a416460/

SH256 hash:

f8f6c54704f0d9e58fa78af87f4b83afb73e36b5ba94f2d3ed192a2ea5927870

MD5 hash:

e9a8d2768163f3ac2260cb9c5dd09d6b

SHA1 hash:

2965afd89c4c9e1a5779b71ef8546894e03379e3

Link:

https://www.unpac.me/results/23497fd8-e317-49a1-a6b6-1b963a416460/

SH256 hash:

fb36eae3bb16b34bb057bbe330f5e13ed0bd8158915ec3cb9b1e694273672402

MD5 hash:

e2477f3f43d7fa5b8f1ffa0352c7f100

SHA1 hash:

89dc6856be3b2174fecc9a15e57e6d33d7fde6c8

Link:

https://www.unpac.me/results/23497fd8-e317-49a1-a6b6-1b963a416460/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/fb36eae3bb16b34bb057bbe330f5e13ed0bd8158915ec3cb9b1e694273672402

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171112/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample