MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31
SHA3-384 hash: 02ebb2e9c4e956f57c76671d0dc0b288c33bb39c8ff0dde48d796def1922032cbf6d5f4d3838e4275b1b129b1ac34f08
SHA1 hash: 7f8e95720d6dc0da4f230abce801d87b4f0a9dd5
MD5 hash: 7c047d2a71d8c0102861a576fe28a619
humanhash: apart-diet-california-king
File name:7c047d2a71d8c0102861a576fe28a619.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:879'616 bytes
First seen:2023-03-10 12:18:07 UTC
Last seen:2023-03-10 13:30:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:WuOZ6wGkB+e9uf8oPj4iwSqm8Zc3LQQqWSO:lMiwSH8a3LRSO
Threatray 1'327 similar samples on MalwareBazaar
TLSH T10E15CE167CEC626FE7B2CB3B6242540C37791124B22EFDE52885D3EF2A81B131A51D5B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 69f0d284deb4f069 (10 x AgentTesla, 3 x SnakeKeylogger, 2 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Statement.xls
Verdict:
Malicious activity
Analysis date:
2023-03-09 13:10:08 UTC
Tags:
opendir exploit cve-2017-11882 loader
Link:
https://app.any.run/tasks/ad603eb1-c540-43a3-9acf-a935b7f58f87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373349/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65854002.14637.7448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/640b203879380d66a3b24d53/reports/23042766-4c00-48f7-a9a5-12187e0b159d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23c16a72-7b15-4e42-ae32-5e2bf4a6a711
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191163
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824039 Sample: gy11KzRkLQ.exe Startdate: 10/03/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 6 other signatures 2->55 7 gy11KzRkLQ.exe 7 2->7         started        11 EJEguotwj.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\RoamingJEguotwj.exe, PE32 7->31 dropped 33 C:\Users\...JEguotwj.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp848E.tmp, XML 7->35 dropped 37 C:\Users\user\AppData\...\gy11KzRkLQ.exe.log, ASCII 7->37 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 May check the online IP address of the machine 7->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->61 67 3 other signatures 7->67 13 gy11KzRkLQ.exe 15 7 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 21 EJEguotwj.exe 7 11->21         started        23 schtasks.exe 1 11->23         started        signatures5 process6 dnsIp7 39 api4.ipify.org 173.231.16.76, 443, 49712 WEBNXUS United States 13->39 41 api.telegram.org 149.154.167.220, 443, 49713, 49714 TELEGRAMRU United Kingdom 13->41 47 2 other IPs or domains 13->47 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        43 104.237.62.211, 443, 49715 WEBNXUS United States 21->43 45 api.ipify.org 21->45 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->69 71 Tries to steal Mail credentials (via file / registry access) 21->71 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 14:17:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nnv2vnmt3qhyzvn2nzvj5bk2jrqrnetekdedn3nlbloz2gi5qyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3ee7671cc6464b59118160bb27fe955fd2ff0f8cc74d6e07da97c27f95c9c32e
AgentTesla
58c9d27bbcac08daf0e53a2437632c51c38ce6ab04f8195c903e26fd8b951051
AgentTesla
68d5ca8cc172f06770b92182cc32ca1f3f5879cd4e8dba6f399bf9dc4157d617
AgentTesla
89632d21c560d1a448b67afd30d8e4f4c07643f839a04e08d8b4ebdc3ef4b6b4
AgentTesla
b6729b6cbe1e54cc96e879accbdd5e31cb61d184e8327e739a58a78d3f05f0d9
AgentTesla
c6a88fa7c96472e543ffb6fe52a0a56ebea150a8e60f1779d1241cd7a26f02e1
AgentTesla
d519e342f95c5d96e84a3cca2fc999fedc3f0ee24133806a07f59a4688a22f99
AgentTesla
+ 1'317 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230310-pg7axsfd2v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5896636070:AAE1wgCylxBdOo6ud0Pm37zMf2XWSsuCQ0g/
Unpacked files
SH256 hash:
bda032a195238caef6b44da825c14091295cc2babb31d4eb6eb7b54f5b0e518c
MD5 hash:
83870ed8a5c74b016985897330dde82c
SHA1 hash:
c2cbdc714b89fefb7fe6b8d2f0ef4801f5b23cff
Link:
https://www.unpac.me/results/8c387d74-4199-472d-b423-78a318a8b2bc/
SH256 hash:
57c9f486be687ebc08a756e5fd750fc63f3f3b8892b46508589ecfd2b69c9eca
MD5 hash:
cd7051e0594ee4d89521baffc7693b41
SHA1 hash:
9b7ee6f1bc68f29807b96c7487b12c751cff427b
Link:
https://www.unpac.me/results/8c387d74-4199-472d-b423-78a318a8b2bc/
SH256 hash:
d144989d8dc808c26338c65dcb3652f565f96aa77179ff16ac9e073d753efc8b
MD5 hash:
eb69edfa7caf70a70411d253ae805cb4
SHA1 hash:
5c9f3ecffc92a1cd63192b548978c52e69630ace
Link:
https://www.unpac.me/results/8c387d74-4199-472d-b423-78a318a8b2bc/
SH256 hash:
e59b539ec78cd93b2a116aecf74d3e35973f0aff3589fa51c8793c2e45ac4bad
MD5 hash:
c16040a57acbe84721f9ec6737c190fe
SHA1 hash:
3fd8ab655cd1c944bd716279cd66914025e07554
Link:
https://www.unpac.me/results/8c387d74-4199-472d-b423-78a318a8b2bc/
SH256 hash:
0f9ab0871be719546ba3750aa75593ebc1f81bb99450cf2c7dd6013ee86352f9
MD5 hash:
367dcdfe12c41ff6978b3ec943b68582
SHA1 hash:
3bedf0c40ff4db06b004ca3fddf229bda9d6e4cc
Link:
https://www.unpac.me/results/8c387d74-4199-472d-b423-78a318a8b2bc/
SH256 hash:
fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31
MD5 hash:
7c047d2a71d8c0102861a576fe28a619
SHA1 hash:
7f8e95720d6dc0da4f230abce801d87b4f0a9dd5
Link:
https://www.unpac.me/results/8c387d74-4199-472d-b423-78a318a8b2bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe fb5b5d55ac9ee07c66add37354f42ad26308b493228641b76d5856ece8c8ec31

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2564168/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/373349/

Comments