MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331
SHA3-384 hash: c69a47cdc75c2dafb9fe3b32d4551398c9889e032bbf684a90d352089d3470f2f827fda2de74538a80a99fbdadd2e5d1
SHA1 hash: 6847679d972de4004d0d89086662a3d501779e7a
MD5 hash: 3198153b439f1ec8844a8c2584cc2c94
humanhash: zulu-yellow-mango-may
File name:Documentos de Envio Originales de DHL-2013839892.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:718'848 bytes
First seen:2024-05-28 17:40:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:iCCVfRBD8EK7pMbOV/Yz9djd/Jg3Ct3HWTq/FnJtLRq5g0aXz+:4JBDVKybOtYzbjY3Ct3HW+FnPUXqK
Threatray 14 similar samples on MalwareBazaar
TLSH T12DE423E131AB92C7CB540AF40A9D776387BD41EA6526D3DC1CDC62D84A723DA2234F1B
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon e8963351513b8ee8 (9 x AgentTesla, 4 x Formbook, 1 x Neshta)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331.exe
Verdict:
Malicious activity
Analysis date:
2024-05-28 17:53:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5b13782-4f99-4d82-baf5-0286118f81c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.20813.21409.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665617585721c8e527178496win7simulatehigh_evasion
Tags:
Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6656173532eca5b280007a1c/reports/c0120c1b-6209-4242-acd6-033252802c7e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11fd3348-7df4-42d7-a901-3b3013186506
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1448821
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448821 Sample: Documentos de Envio Origina... Startdate: 29/05/2024 Architecture: WINDOWS Score: 100 28 www.lets-goo.ru 2->28 30 www.gett.hu 2->30 32 7 other IPs or domains 2->32 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 10 other signatures 2->48 10 Documentos de Envio Originales de DHL-2013839892.exe 3 2->10         started        signatures3 process4 signatures5 60 Injects a PE file into a foreign processes 10->60 13 Documentos de Envio Originales de DHL-2013839892.exe 10->13         started        process6 signatures7 62 Maps a DLL or memory area into another process 13->62 16 JgcJxGNbQWAfnjVTCEtBxXiHXBK.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 TSTheme.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 2 other signatures 19->56 22 JgcJxGNbQWAfnjVTCEtBxXiHXBK.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.crxwdix.store 124.156.151.111, 49723, 49725, 49727 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 22->34 36 emgeecontracting.shop 69.57.162.24, 49738, 49739, 49740 FORTRESSITXUS United States 22->36 38 4 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-05-28 13:58:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7oscv6cp6n23w5ykjhppqvtyyebubtqw37l53tgw6rz4rgkv4myq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
19b86526b9c8b33ee230bba95c8a02fc47db4d230933c3ebcb6888e0dd344f77
AgentTesla
57b81292b61a36171a2ad822d255aae878a8f9ca187efb43da94c7865c8388c4
AgentTesla
8f7befd74751db69ff99b1cd3f153554c89a03e6758ae974b4debe5f2578d618
AgentTesla
9b2e166e69584f44f60b0d8a73335912f90e689ecaa2061afbd637709fba4393
AgentTesla
c67f8d964ee3965911b0f29dd28a6bd65f136662f5cd3a1193f85ab7e81656c2
AgentTesla
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
AgentTesla
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240528-v9ghvsdf4s/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a848863a-c23a-4a8a-8096-1a1c0fee383e
Unpacked files
SH256 hash:
8e1e81a2517df82e4f890e7f06af93645f610015f1b0043f205882449eee1b96
MD5 hash:
dcf6f858e1fd755e7227e3dcdd1c81c6
SHA1 hash:
2efa0a938ddf19aae6f33de5dc99140eedfa801b
Link:
https://www.unpac.me/results/c83d42e6-8742-4600-abac-d93bca091a58/
SH256 hash:
6215c4f3fc7666f2a5757e6779864a884d7d698bb02594e4c8456f84daf6bb5e
MD5 hash:
cfe7e26312cf4ce9c4c628a290b6a55a
SHA1 hash:
71216d923775f21b2ee26913d1098fc035eb0b77
Link:
https://www.unpac.me/results/c83d42e6-8742-4600-abac-d93bca091a58/
SH256 hash:
6e12cbdfd0d4eb3111ea27947dbec936d6e360db13407e21986850bddc82abcf
MD5 hash:
a1d747843d49712987d88e9a14d9f792
SHA1 hash:
e9c928e467e5351f085d3bc66e53686a20f670a2
Link:
https://www.unpac.me/results/c83d42e6-8742-4600-abac-d93bca091a58/
SH256 hash:
9afae261f47a418fecaba666fd78e8fa1634782a55efb346bddae801de0de308
MD5 hash:
a3cdf28805049e201c42e4b445deeecf
SHA1 hash:
d98486d8f67718ea821bf7483a162d14f69d0f6a
Link:
https://www.unpac.me/results/c83d42e6-8742-4600-abac-d93bca091a58/
SH256 hash:
2dc29238cf653fa3d775b71411cb4573737ef4af8db531a8d82becc9dc4636bd
MD5 hash:
c94258437122be9bf1841ffefac69de1
SHA1 hash:
924ed8ea52a93783789f9f57e14408e74f072221
Link:
https://www.unpac.me/results/c83d42e6-8742-4600-abac-d93bca091a58/
SH256 hash:
fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331
MD5 hash:
3198153b439f1ec8844a8c2584cc2c94
SHA1 hash:
6847679d972de4004d0d89086662a3d501779e7a
Link:
https://www.unpac.me/results/c83d42e6-8742-4600-abac-d93bca091a58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fba42af84ff375bb770a49def85678c10340ce16dfd7ddccd6f473c89955e331

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments