MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd3c1514a7c69a0632bce2a5e0ee36c2bfc450cebc898c0e2dd022bf833ca38c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd3c1514a7c69a0632bce2a5e0ee36c2bfc450cebc898c0e2dd022bf833ca38c
SHA3-384 hash: dde5303f20da49749fba40adb1e02bf6f7a71aad7569267f26451a0331db9a4a63cfcab9ba031550a3d63da671e0d516
SHA1 hash: 19c3dd05bd07c7aa003a2f9fcfb79e77b564882a
MD5 hash: 403f9de7dafaa3644e7144db564de8e3
humanhash: eleven-diet-gee-virginia
File name:SecuriteInfo.com.Trojan.Olock.1.16876.6984
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'652'224 bytes
First seen:2022-07-05 18:37:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:iZkCido4u43mTc2nt3U5p21TVYjlvFqs:iZbWQpU581T2h
Threatray 3'207 similar samples on MalwareBazaar
TLSH T1AF752207553DED62FA6C3EF1F4042A2A6F8F2E93145AB708DA79329405B27224F6D067
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f08f080c0c088fb0 (14 x AgentTesla, 5 x GuLoader, 3 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.16876.6984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c4854b11764e36f817d84b/reports/7ac4e738-6616-421c-a69c-053c46f87227/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/16741974-2f34-4455-bc59-a73166702748
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1025076
Signature
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 657571 Sample: SecuriteInfo.com.Trojan.Olo... Startdate: 05/07/2022 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 5 other signatures 2->58 8 SecuriteInfo.com.Trojan.Olock.1.16876.exe 7 2->8         started        process3 file4 36 C:\Users\user\AppData\Roaming\iHnHPN.exe, PE32 8->36 dropped 38 C:\Users\user\...\iHnHPN.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpE51B.tmp, XML 8->40 dropped 42 SecuriteInfo.com.T...ock.1.16876.exe.log, ASCII 8->42 dropped 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->68 70 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 2 other signatures 8->74 12 SecuriteInfo.com.Trojan.Olock.1.16876.exe 6 8->12         started        16 powershell.exe 25 8->16         started        18 schtasks.exe 1 8->18         started        signatures5 process6 file7 44 C:\Users\user\AppData\Roaming\pObsWPF.exe, PE32 12->44 dropped 46 C:\Users\user\...\pObsWPF.exe:Zone.Identifier, ASCII 12->46 dropped 76 Adds a directory exclusion to Windows Defender 12->76 20 SecuriteInfo.com.Trojan.Olock.1.16876.exe 12->20         started        24 powershell.exe 24 12->24         started        26 schtasks.exe 12->26         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        signatures8 process9 dnsIp10 48 smtp.yandex.ru 77.88.21.158, 49771, 49772, 587 YANDEXRU Russian Federation 20->48 50 smtp.yandex.com 20->50 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->60 62 Tries to steal Mail credentials (via file / registry access) 20->62 64 Tries to harvest and steal ftp login credentials 20->64 66 2 other signatures 20->66 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures11 process12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd3c1514a7c69a0632bce2a5e0ee36c2bfc450cebc898c0e2dd022bf833ca38c/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 16:58:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7u6bkffhy2nammv44ks6b3rwyk74iugoxseyydrn2arl7az4uoga._file
Verdict:
malicious
Similar samples:
1d1288c2ce2893c49f8b5415034de067a2d68ccddc08fe89f8711e568d777505
AgentTesla
33a19ea1c739df9fbb3a9f8d81efb67050339afc59e44c611f98ccdd66cc37fa
AgentTesla
3f6c93773e47afcf964b6d01313d63b90dcdb8ac227cd7bb80b232fc924f5aac
AgentTesla
4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119
AgentTesla
51470b54c5f205002945f7a1977dcc11ffc35436335247181445d5afb9988740
AgentTesla
999c19bb669363e626ff41024ebe756e82a200fd874f8099dfbf8776360ccba2
AgentTesla
b1b2dbf6aa0264052009067c102812bf5b7851b52c480056481445c0024a7946
AgentTesla
bec6c14f97cb9bb63215ddd6dab22724d07dfbf633c45f6cb51265c1b6a61ec8
AgentTesla
d9a34a1c34cdb62ed77d841f76d9e38e613134f06b7b32e309acefdb8df768fe
AgentTesla
e28bc747ebb0dc285a8421699d80d05b3265c539a61e54c745777a772b871523
AgentTesla
+ 3'197 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220705-w92pgadff6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
e0e262e06b7abce346439dc04fae8430fb394c275c4253f468f5d42bc965d282
MD5 hash:
c1add8a6cad3f6a977ce931540a0d337
SHA1 hash:
daa031fe5c03ddd9ae60399d3fdd2b8db0f14371
Link:
https://www.unpac.me/results/059e5c60-5d47-4474-a0e7-939447c43e06/
SH256 hash:
fe84b74265d4575982c29887cc90b606aec59c00e4ae46563a87a831f75acb2f
MD5 hash:
d42d300486ccad65dc0febb4d6bdc8d0
SHA1 hash:
cbe52451025c61b966056ae303dafee7b33adc0e
Link:
https://www.unpac.me/results/059e5c60-5d47-4474-a0e7-939447c43e06/
SH256 hash:
b1b2dbf6aa0264052009067c102812bf5b7851b52c480056481445c0024a7946
MD5 hash:
de4e7cc84aabcee374aaadded9af58ef
SHA1 hash:
a1d71bd26b5492fc62e2c0966c50970394d0cc83
Link:
https://www.unpac.me/results/059e5c60-5d47-4474-a0e7-939447c43e06/
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
Link:
https://www.unpac.me/results/059e5c60-5d47-4474-a0e7-939447c43e06/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/059e5c60-5d47-4474-a0e7-939447c43e06/
SH256 hash:
fd3c1514a7c69a0632bce2a5e0ee36c2bfc450cebc898c0e2dd022bf833ca38c
MD5 hash:
403f9de7dafaa3644e7144db564de8e3
SHA1 hash:
19c3dd05bd07c7aa003a2f9fcfb79e77b564882a
Link:
https://www.unpac.me/results/059e5c60-5d47-4474-a0e7-939447c43e06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd3c1514a7c69a0632bce2a5e0ee36c2bfc450cebc898c0e2dd022bf833ca38c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments