MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbadf252eb04bc791373500dd2b28c45ef60bf5f34c711c4bff61fe5230c056c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbadf252eb04bc791373500dd2b28c45ef60bf5f34c711c4bff61fe5230c056c
SHA3-384 hash: 80e4b56655763fe2298679777b4e3470369faa2bc242ae65ca2701906e8e08c1230a096030802f19aece088d26cd7b54
SHA1 hash: f5052e76d0dd47411987d4a4de27fc849e1c9a55
MD5 hash: 2e21013d8666ba1eaf72238befc4889c
humanhash: tennis-mountain-floor-william
File name:RFQ#000002720212207.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:752'128 bytes
First seen:2021-07-22 08:06:01 UTC
Last seen:2021-07-22 08:47:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:330XffCGma1uGU0sBYqFDMRwM3JCJI0povbFyf41/gzUXE1C1c4I7y:UXHCGSGU9gRX+I0kF+0
Threatray 7'865 similar samples on MalwareBazaar
TLSH T1F9F401047B806F4EC5AF8E7A84114C50EBF1E966670BF7C76CD723EC548E7998A13292
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#000002720212207.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 08:07:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/475a9ebf-bd13-4178-9491-aef714a1c2ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173261/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.22131.14920.23714.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fccca68-c40b-4721-b9e4-fa9106d59d54
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820001
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452416 Sample: RFQ#000002720212207.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 6 other signatures 2->53 7 RFQ#000002720212207.exe 7 2->7         started        11 qXLPL.exe 5 2->11         started        13 qXLPL.exe 4 2->13         started        process3 file4 33 C:\Users\user\AppData\Roaming\ulcNjcp.exe, PE32 7->33 dropped 35 C:\Users\user\...\ulcNjcp.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp9A95.tmp, XML 7->37 dropped 39 C:\Users\user\...\RFQ#000002720212207.exe.log, ASCII 7->39 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 15 RFQ#000002720212207.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 65 Injects a PE file into a foreign processes 11->65 21 schtasks.exe 1 11->21         started        23 qXLPL.exe 2 11->23         started        25 schtasks.exe 13->25         started        signatures5 process6 file7 41 C:\Users\user\AppData\Roaming\...\qXLPL.exe, PE32 15->41 dropped 43 C:\Users\user\...\qXLPL.exe:Zone.Identifier, ASCII 15->43 dropped 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->45 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 25->31         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fbadf252eb04bc791373500dd2b28c45ef60bf5f34c711c4bff61fe5230c056c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 08:06:04 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ow7euxlas6hse3tkag5fmumixxwbp27gtdrdrf76yp6kiymavwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dea09c30d8e850fab893b3f17f9bad6898c7e77bb690ecfe523681ca0f07e95
AgentTesla
3ee4e620dd7cb6d8a6f604e5653a4f5cbf1258032ffc7d13ae9a415c672a5713
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
6c774012ef6641580ad729f00e565e5ab5a13e7eeca97b510f2e2e9e101b9375
AgentTesla
71e6c949b0e259018b39ad513305c9197afe74c9d68119db8e6e545c74ceedcb
AgentTesla
790b008421852f555794a5e59c91f894993dcac641104ca06087bda8c1b5ea50
AgentTesla
9662d1e4c72efe73a1f203ebead6069990342a4da6314737e3a02b08e2d68075
AgentTesla
a3aa3605c436f4ef38f404007ce0305562def1f6e77f244232671b10914894f0
AgentTesla
d375f6f780b9623c85714c9fadae46359a8e308bdeaee7e2161a86c0a89c7d06
AgentTesla
da33725694fafe69b0a72478a9741ae2eac9d294966f160204a93e27f711b514
AgentTesla
+ 7'855 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210722-a8h6pw7rrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1777cd9ad0b3dbe916c96b39c0e166bd7f843efaee5b8e72d2d942f9583d809f
MD5 hash:
3289044218663e11c971bf7d8959768d
SHA1 hash:
55a72939b15eaadb8320a6420134fc64728c4606
Link:
https://www.unpac.me/results/2ec5ada0-d315-4a44-b9ef-7a6de331542d/
SH256 hash:
8434cd05c9e3d748003c6fc957197aa4c9049ad1796d74bd70bf5c3b5b91e6ec
MD5 hash:
ee5e246d133bf5a2df54e48f7b4d78dd
SHA1 hash:
45e28577b4607f950fb9dac3a1ca551e22cf3eaa
Link:
https://www.unpac.me/results/2ec5ada0-d315-4a44-b9ef-7a6de331542d/
SH256 hash:
9382eb2997d6b5a2c0a1475673adb224d0ffabc2ad24638777a51532c9b60de9
MD5 hash:
8731fc418d15b2ffb3f496d0783cfd3e
SHA1 hash:
32adf11fa9b1e2d66fd579a3946a97325c19e057
Link:
https://www.unpac.me/results/2ec5ada0-d315-4a44-b9ef-7a6de331542d/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/2ec5ada0-d315-4a44-b9ef-7a6de331542d/
SH256 hash:
f15d5d42f2fa2c34afdc749a574b7d8468daedc9dac376fc3e7bd5c502d0bf35
MD5 hash:
617cb9d85bc168739197ff764c4da624
SHA1 hash:
bb251d7a233ab2ac089b8b15e401bacbcb4fafe3
Link:
https://www.unpac.me/results/2ec5ada0-d315-4a44-b9ef-7a6de331542d/
SH256 hash:
fbadf252eb04bc791373500dd2b28c45ef60bf5f34c711c4bff61fe5230c056c
MD5 hash:
2e21013d8666ba1eaf72238befc4889c
SHA1 hash:
f5052e76d0dd47411987d4a4de27fc849e1c9a55
Link:
https://www.unpac.me/results/2ec5ada0-d315-4a44-b9ef-7a6de331542d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fbadf252eb04bc791373500dd2b28c45ef60bf5f34c711c4bff61fe5230c056c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173261/

Comments