MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc8da0b660e959586210bf588d5fb439b4d2495aabb1577a017320e027ee0b77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc8da0b660e959586210bf588d5fb439b4d2495aabb1577a017320e027ee0b77
SHA3-384 hash: cceffb30b7e1bfc96138afb1d8c36598e974f118dc39e72e857667afac626ed0a4d1acb0cac89827208188eedf865907
SHA1 hash: e37d437543cf5d6eaf91d5ac2b71627033b7e1ed
MD5 hash: 52d3e850a359e4b48e0147f10b254ebf
humanhash: violet-skylark-fanta-april
File name:REQ Quotation Oil and GAS,MARINE AS ATTACHED.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:587'776 bytes
First seen:2022-05-23 11:23:02 UTC
Last seen:2022-05-23 11:50:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:i+DwtL+eHIAM6GG9XT66eONLa571czCnFv7vjDx:jco+FM0UcMICFvjj
Threatray 17'864 similar samples on MalwareBazaar
TLSH T102C423289974D5BFCE6E8DF17C21878D7171B341D4A1FCFA1AA290CD2F673098863A25
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter pr0xylife
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
RCHED.exe
Verdict:
Malicious activity
Analysis date:
2022-05-23 12:10:54 UTC
Tags:
agenttesla
Link:
https://app.any.run/tasks/e7e0c78a-a3a1-47d5-b8f1-fb81ec0ecece

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/273610/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628b6e97eba388bb86807558/reports/78075f64-2b50-430f-8795-cb77c882cfd1/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/482c7a98-d5ea-419f-9b08-22ec3acbd4c7
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999699
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fc8da0b660e959586210bf588d5fb439b4d2495aabb1577a017320e027ee0b77/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 09:55:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7sg2bnta5fmvqyqqx5mi2x5uhg2nesk2voyvo6qbomqoaj7obn3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21d9ef381a8b23032d6371bc8969b0565f13eb8e4b74dc38775bca233b79e8aa
AgentTesla
30817622f85ca75a091ed341e082b9f60b93d501717613097177a34f09323b43
AgentTesla
49a9d39a546af011f10b52efa9f9fa003524a7585fb08f3101da8d090e6b93e6
AgentTesla
9b9e7f65b6e87acaeb34f568af68ba6c2246cf320329d56af03673f5f3908ddb
AgentTesla
a14407a599cd28b7437b9e6da4673f348493054295530064eb33886de74f8a74
AgentTesla
ad42e638f96ae99772ba92d8cd8a8f2ba158e23c57e446049f5a784d60469306
AgentTesla
d3be2ee3efb4181dfeeb50d0a3aec292733ab22c39ee474dfd7f3f18780f1224
AgentTesla
e0896f3de4452ba8a69e37e0449fbbbca187f7cadd1dffeef70a8e55f2ae6e6f
AgentTesla
+ 17'854 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220523-ng5awsgdbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
76d4048493621d1f307716c8afb57b9e7974c139918f8c4089cf75de5c32adcc
MD5 hash:
1d014a86e190a9f805e466fab5ab8336
SHA1 hash:
88f42e5a4a08c3f497b37ed899628c36ea293619
Link:
https://www.unpac.me/results/c1daed97-0a06-4914-8189-69699ba94f02/
SH256 hash:
260b5fd8c93db7bf86e36b587079483233020e755074798ddbc40821a4afe0eb
MD5 hash:
13346af03b105b0b8f593724d6dc0c1d
SHA1 hash:
85c3722ba3a0cbe36b4a8997a9476bc498b7b3e7
Link:
https://www.unpac.me/results/c1daed97-0a06-4914-8189-69699ba94f02/
SH256 hash:
f6c807f21c9453e4fef7497fc06dfb7a9486479201ebd71b93a57a32abfbeae7
MD5 hash:
16e1e443f688d94a63f331d6d837e852
SHA1 hash:
5ef9fea7a069e3c9de4278cfc98937ffdadf1ac7
Link:
https://www.unpac.me/results/c1daed97-0a06-4914-8189-69699ba94f02/
SH256 hash:
fdd10fb67e6276b3d848c92d4686f56b2ecbea1d629795a241ca6306a2f62d55
MD5 hash:
f20fd214bbda1a459a3eb415eec86017
SHA1 hash:
c658f61e4f308a69a4509649439814166c655e84
Link:
https://www.unpac.me/results/c1daed97-0a06-4914-8189-69699ba94f02/
SH256 hash:
b4fadc76ca701d1d2c7853649d9b6f7e548e8f15962cb5356882b0409fc99297
MD5 hash:
b6cf91930d12a0795cd03c00c7040817
SHA1 hash:
5b69701506a8904c6282eb1b526369b0aec3ab12
Link:
https://www.unpac.me/results/c1daed97-0a06-4914-8189-69699ba94f02/
SH256 hash:
fc8da0b660e959586210bf588d5fb439b4d2495aabb1577a017320e027ee0b77
MD5 hash:
52d3e850a359e4b48e0147f10b254ebf
SHA1 hash:
e37d437543cf5d6eaf91d5ac2b71627033b7e1ed
Link:
https://www.unpac.me/results/c1daed97-0a06-4914-8189-69699ba94f02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc8da0b660e959586210bf588d5fb439b4d2495aabb1577a017320e027ee0b77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/273610/

Comments