MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4
SHA3-384 hash:	a979bca587727fa4764251ba9b8fe7046f4b7cd1ae4aa81bcc1711d78dd1a7b253a9ae1a131b3bda12c5afbeb69a69c2
SHA1 hash:	fd5d9f2c7e3e663910412ee9b84f88365ca4ff17
MD5 hash:	61c60fb261c9b694821c16cd6e6a1285
humanhash:	yellow-east-emma-speaker
File name:	Jooikb3Gb3fksCH.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	708'096 bytes
First seen:	2023-12-01 14:08:00 UTC
Last seen:	2023-12-01 15:31:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:MC5gJzIbIxH6r2VXZfSXsRti+ooRQu3RTKbZRxWGbKIiZcbgJ3jQGOfpDDgcA:PgJiIr3SerQ2TMF5bPscbgJT5YpDD
Threatray	240 similar samples on MalwareBazaar
TLSH	T130E412912B094392CCBE9BF76494181893B3BC17A8B0F25C4ED230EF577279195E2E97
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	9642608262208212 (1 x AgentTesla, 1 x GuLoader)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461722/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08a4c84d-5443-4e67-9dba-5609a155cec3

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351447

Behaviour

Behavior Graph:

n/a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-12-01 07:56:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7vmhzzl7nxlqizp5hwpgcfopxbtlvlu63fezhulrsgsq65sxb22a._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

2bf88c8e82f306e249d71856460626383a4befe7ca9115afbddbae0c7a960242

AgentTesla

40203565c21de2f3923f1c4bb185068706f0bf56366cb099e6483737020b2ae3

AgentTesla

8f05551c8ddd819665aef513ec44d4f0d3f905fe9d8eca05e2d7857606f132f4

AgentTesla

c17b3e778d12a1b353c665515c1de44df04d6172f0448b62c9cf6dd9e44bb6ca

AgentTesla

c5444c85b810f99e008f31b9ea1b1a128df74044cacf326c27fe1937f5b45fdb

AgentTesla

e0793d63666fd27dd0132db7bd77c06ed6fb2d9dd919aa774886e9732e5db57d

AgentTesla

f925810c89fa8a74336dd667fd0b57e3caf827a0976647a20d655351252b91cd

AgentTesla

+ 230 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231201-rfjjksad2s/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

85c4a06e648262c968016e9e4fe66ef038efcdbe34e093f42b78333d35cfbd5e

MD5 hash:

5acd82ee4872f8c76c20a36361f5f7ed

SHA1 hash:

4b1b5d9d4753581cd8443295dbe7815c799bd863

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

SH256 hash:

ccf5deedc6390eb6a2b253ad992ad8dca5dc10322b32762abd5909ea5752269b

MD5 hash:

168f3dcf3d5a86db9321b5f7fd83bf0e

SHA1 hash:

4bfc19a3441119467de82e55271c06e47a065999

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

SH256 hash:

bc99dcc182eaf17394c34611c1aef4ad45c3079ae116c19caa17620d64c39f7c

MD5 hash:

84fe0cc42b4f30e7b6f58c92f9ad3d56

SHA1 hash:

d753cc7cc8e2927f9cde57fb67b5bceebd2f5fd2

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

SH256 hash:

d0cb57214c5ebf0c5bdcd5a63662c208a08242192c3182135bda1c66f2e3d2e3

MD5 hash:

38d5eb6b078886fb4966810488170aa8

SHA1 hash:

b7d031cdb739e1cb62611e2be9884d7517742d24

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

SH256 hash:

c4c29900e6ddcb9c92330bdea58607712a80e762fb69c6f8c83fbbcc0dcbfaab

MD5 hash:

41f13071488bcb873c7596eeace497f6

SHA1 hash:

a2171d53b877d555e460c6a1d9f994c75c45ef79

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

SH256 hash:

0e8a5f6bd3e915b9d2fae9428730dc5017348d23b622bccbb1971e352052734b

MD5 hash:

56feb04fdc8b0453c62267ac204ed555

SHA1 hash:

7d41fb41cac90bea85cb6691a5945568115cbcbf

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

SH256 hash:

fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4

MD5 hash:

61c60fb261c9b694821c16cd6e6a1285

SHA1 hash:

fd5d9f2c7e3e663910412ee9b84f88365ca4ff17

Link:

https://www.unpac.me/results/05a391b3-22e4-4153-bdc4-b6fbcf2b3233/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd587ce57f6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fd587ce57f6dd70465fd3d9e6115cfb866baae9ed94993d17191a50f76570eb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/461722/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample