MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66
SHA3-384 hash:	dea06f73ad625750e33da740098e0682b74acb78bdea2d80a290cb9e3cdd32bdc3889fb292e14ff7636e36f18fb850bc
SHA1 hash:	7452fc04cc7f9bef51777aab689df7cfc9d88107
MD5 hash:	732230d041ccf1f7a750112aee1484cb
humanhash:	stream-iowa-arkansas-william
File name:	fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	476'307 bytes
First seen:	2023-01-06 12:45:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep	6144:gkwmstvLGtELbMUTKZxRM0Xg/FL1X1V9kMp/Bt/Ur5Q/QRgWiSsvu8iQR4dT:xSityjK/RG/FL1XVVIr5Q/lDf3N8T
Threatray	20'892 similar samples on MalwareBazaar
TLSH	T10BA48D823184DCDAE05329F218AFD57061B87D9E8165C60E3743BF2BA5E7342349B79E
TrID	92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	f29296968e9e9ea6 (60 x AgentTesla, 37 x RedLineStealer, 35 x Formbook)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66

Verdict:

Malicious activity

Analysis date:

2023-01-06 12:46:41 UTC

Tags:

installer agenttesla

Link:

https://app.any.run/tasks/63813a77-603a-44cc-acc3-7d85e51e780a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/350041/

Detection(s):

SecuriteInfo.com.Trojan.Loader.1222.24993.14528.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Reading critical registry keys

Setting a keyboard event handler

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63b8180b40e878e304232ce3/reports/df6217fd-e721-420d-8903-b6880bcb1b8c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fdee9bcb-9fb6-4148-bc08-ab3127482f53

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1146289

Signature

.NET source code contains very large array initializations

Detected unpacking (creates a PE file in dynamic memory)

Installs a global keyboard hook

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-12-19 08:55:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7vnfozzat53iwynhgkn6kxxqiiugntafvtfmekvsh6zdhvoarjta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

b077c634471ee290e38f9e3ced5375888f93890e6b0840b8db2c1691175019ee

AgentTesla

b3271cac975a34320b8dd67850d535e5ef96651e3371356cf3ec7cfca34a3caf

AgentTesla

b971a16851e90b9ba431ec5c3c739204f16d361b57ac22ab43a05feee0f39ed1

AgentTesla

c375bf8a18680d0924c42bb9186586c7a283e7fe5d694843a76ac28b7d7b68f2

AgentTesla

c8e5da5d94006e08ab1bb069102abaac24bba18c458ad2253527a29380cfdf51

AgentTesla

ce7267faa71bcac017522d43d0d80ad25088c83c65f01688cf26a27b7d264925

AgentTesla

d077b3075b08a6f6ae384794e0ddd8c6e509a029440ec56f1669288730e70898

AgentTesla

d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e

AgentTesla

+ 20'882 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230106-pzl3psbg3v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5471845965:AAGz3YmV7VKz4xbC6JZYPs8qHf8J8palMmQ/

Gathering data

Unpacked files

SH256 hash:

f264e7bd490d14676e8230fc8e2849761910a1ed406893ebd33d143acd52d5c9

MD5 hash:

47b119c7a6067ba99bf5d67dd05f69cf

SHA1 hash:

e0834e0184db6c061c80ab0de22a9f5ad8568e3a

Link:

https://www.unpac.me/results/3828371b-908c-4245-a405-292516f00bdb/

SH256 hash:

6f1a60e04aedc138b0b04350bb0aae324100cb2ecbb04c658c2ddd524ba909a0

MD5 hash:

a7bab4a273f8c68f380e9986e1509ae8

SHA1 hash:

d3bc6817226f316c7edbe55c1c243d1bbb994f7d

Detections:

AgentTesla

Link:

https://www.unpac.me/results/3828371b-908c-4245-a405-292516f00bdb/

Parent samples :

6d0a4b1fd2ec217192b239df4208eceafacdb8655b4f3fb512e4a6af972de811
c88c48da70141fea6528b351fc23cac8da7ea3a520d871f1d65f90b362344639
5c3db7a9aefc84e986c525b61473a8a9cca36afa979935fb66cb34f32f7d204e
fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66

SH256 hash:

ef347a4b5e2d714a1d57067ac4e1485c928eed27689bfc3753c75b57a936cd49

MD5 hash:

14ff91d2a65b84997bda65b65d5e6b5b

SHA1 hash:

1a4e764f2c9e0b4530106fbb3f18604aa05437fb

Link:

https://www.unpac.me/results/3828371b-908c-4245-a405-292516f00bdb/

SH256 hash:

fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66

MD5 hash:

732230d041ccf1f7a750112aee1484cb

SHA1 hash:

7452fc04cc7f9bef51777aab689df7cfc9d88107

Link:

https://www.unpac.me/results/3828371b-908c-4245-a405-292516f00bdb/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fd5a5767209f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.68

Link:

https://yomi.yoroi.company/submissions/fd5a5767209f768b61a7329be55ef0422866cc05accac22ab23fb233d5c08a66

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/350041/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample