MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49
SHA3-384 hash: 83c0a8f0357ae60387999021501936b8671f9ffefeeb894f044aff6abf643f47f9e1b1d3124c3dd8b5d9f524593f5464
SHA1 hash: f4aee5e4a6797645a861efde70a3c01d77fda603
MD5 hash: 1d55805009e6656a35819a409a7973ba
humanhash: jersey-december-eleven-edward
File name:rFedex-ShippingDocument.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:95'232 bytes
First seen:2025-06-13 08:30:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:FtN13qdXp6aDmdJVKZhFg9ewl/n2/BjCJbx81A61LVoQmotJS:FdsZ61vKZieL5mwa0VolB
Threatray 3'446 similar samples on MalwareBazaar
TLSH T14293C617B6DB8AB1D2945B3BC4E7641043B4E5823693E71E39CE23D91A037BA8FD1247
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
552
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
rFedex-ShippingDocument.exe
Verdict:
Malicious activity
Analysis date:
2025-06-13 08:31:30 UTC
Tags:
purecrypter netreactor m0yv auto-startup evasion stealer ultravnc rmm-tool agenttesla
Link:
https://app.any.run/tasks/1e4fe6e2-4e53-474d-85d6-fbf5358975f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9293/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.24309.6512.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684be2698bd5d68a12e867a3
Tags:
autorun lien
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d3acc755-c663-4565-82d2-45e78e4f758b
Result
Threat name:
AgentTesla, PureLog Stealer, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1713938
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1713938 Sample: rFedex-ShippingDocument.exe Startdate: 13/06/2025 Architecture: WINDOWS Score: 100 77 zlenh.biz 2->77 79 yunalwv.biz 2->79 81 34 other IPs or domains 2->81 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 18 other signatures 2->115 9 rFedex-ShippingDocument.exe 15 6 2->9         started        14 wscript.exe 2->14         started        16 elevation_service.exe 2->16         started        18 20 other processes 2->18 signatures3 process4 dnsIp5 89 drive.usercontent.google.com 142.250.64.65, 443, 49693, 49717 GOOGLEUS United States 9->89 91 drive.google.com 142.250.80.110, 443, 49692, 49716 GOOGLEUS United States 9->91 69 C:\Users\user\AppData\Roaming\Path.exe, PE32 9->69 dropped 71 C:\Users\user\...\Path.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Users\user\AppData\Roaming\...\Path.vbs, ASCII 9->73 dropped 133 Drops VBS files to the startup folder 9->133 135 Encrypted powershell cmdline option found 9->135 137 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->137 151 2 other signatures 9->151 20 InstallUtil.exe 14 3 9->20         started        25 powershell.exe 23 9->25         started        27 cmd.exe 1 9->27         started        29 cmd.exe 9->29         started        139 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->139 31 Path.exe 14->31         started        75 C:\Windows\System32\sppsvc.exe, PE32+ 16->75 dropped 141 Infects executable files (exe, dll, sys, html) 16->141 143 Found direct / indirect Syscall (likely to bypass EDR) 16->143 93 yunalwv.biz 104.156.155.94, 49742, 80 SRCACCESSUS United States 18->93 95 myups.biz 165.160.13.20, 49748, 80 CSCUS United States 18->95 97 7 other IPs or domains 18->97 145 Creates files inside the volume driver (system volume information) 18->145 147 Creates files in the system32 config directory 18->147 149 Contains functionality to behave differently if execute on a Russian/Kazak computer 18->149 33 conhost.exe 18->33         started        file6 signatures7 process8 dnsIp9 83 ip-api.com 208.95.112.1, 49695, 49721, 80 TUT-ASUS United States 20->83 85 parkingpage.namecheap.com 91.195.240.19, 49711, 49714, 49731 SEDO-ASDE Germany 20->85 87 7 other IPs or domains 20->87 61 C:\Windows\System32\wbengine.exe, PE32+ 20->61 dropped 63 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 20->63 dropped 65 C:\Windows\System32\vds.exe, PE32+ 20->65 dropped 67 114 other malicious files 20->67 dropped 117 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->117 119 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->119 121 Tries to steal Mail credentials (via file / registry access) 20->121 131 5 other signatures 20->131 123 Loading BitLocker PowerShell Module 25->123 35 conhost.exe 25->35         started        37 WmiPrvSE.exe 25->37         started        125 Uses ipconfig to lookup or modify the Windows network settings 27->125 39 conhost.exe 27->39         started        41 ipconfig.exe 1 27->41         started        43 conhost.exe 29->43         started        45 ipconfig.exe 29->45         started        127 Writes to foreign memory regions 31->127 129 Injects a PE file into a foreign processes 31->129 47 InstallUtil.exe 31->47         started        51 cmd.exe 31->51         started        53 cmd.exe 31->53         started        file10 signatures11 process12 dnsIp13 99 fwiwk.biz 172.233.219.78, 49727, 49739, 80 AKAMAI-ASN1EU United States 47->99 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->101 103 Tries to steal Mail credentials (via file / registry access) 47->103 105 Tries to harvest and steal ftp login credentials 47->105 107 2 other signatures 47->107 55 conhost.exe 51->55         started        57 ipconfig.exe 51->57         started        59 conhost.exe 53->59         started        signatures14 process15
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pag76dynru3rjwxgg4ve62fuuq3fwdpvoq5fqmqyt6pi4bepneq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
expiro
Create hunting rule
purecrypter
Create hunting rule
Similar samples:
14cd8b533a733528b57653fe03f473fc9f4e6c92568af10145123815ac6dafb8
AgentTesla
1b1d1a65961e2c873037316cddc4c2dd55214efa43fa32645a2d0571b1f16ff1
AgentTesla
3ab01b2ae713f3f64d98e50cc72e066329b78751621d91b01f4b1736b69163fa
AgentTesla
5283ab39f60898d4bbe81b8de3cf5f169f283a8fc9ad018c2ffe63d123a2d6ee
AgentTesla
7947afbd19d717bd458daf91ee53aa4ee7c6cb5178049c4bafbbffe6ceff3210
AgentTesla
d63374d386483c50ad66754aa271868a235eef4f31d7085bd06c1bef92a7f3c1
AgentTesla
dfbcf48f3db81d8626fc81d445d828e1f51839ea43f959e35ccaa476c44e9373
AgentTesla
e16892d3c0d41202a092889a2ad97165801f7e17445d4bb927d2bc1d647c47ff
AgentTesla
error
AgentTesla
+ 3'436 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250613-keeexatmx7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/45d2c3ac-f22e-4dbf-917c-c7a43faa9173
Unpacked files
SH256 hash:
fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49
MD5 hash:
1d55805009e6656a35819a409a7973ba
SHA1 hash:
f4aee5e4a6797645a861efde70a3c01d77fda603
Link:
https://www.unpac.me/results/2a6718fc-5859-406c-83d2-223af5ea0f5b/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbc06ff8786c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fbc06ff8786c69b8a6d731b9527b45a521b2d86faba1d2c190c4fcf470247b49

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/9293/

Comments