MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec
SHA3-384 hash:	749bbb02e9eb3d7369e82c51cb999caee63062d271b583dc090a43d3d9b40583984dfd48f99c45f06a2b4a7d7dfc0263
SHA1 hash:	3520ea144518235ee7bd0f0e6391bd50c948d42e
MD5 hash:	097db3d7b5f2d5c94d45e96274f6c219
humanhash:	potato-apart-ceiling-red
File name:	fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	726'528 bytes
First seen:	2023-06-08 12:13:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:K0HkmFx2iqNhujGjUGp8rl3BCHXe07W0o2QMEC3DEPHCLS6EK7:ZEmFxU9pWzJ060fDESDEPilN7
Threatray	2'418 similar samples on MalwareBazaar
TLSH	T1B6F4126063B68737D6BF47BD60546E7503F6778A3B11E38B8E83B0E89B2AF540912507
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

270

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec

Verdict:

Malicious activity

Analysis date:

2023-06-08 12:15:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/601b07e0-fb1a-4cbc-8d7c-824de55d62a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/396954/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67288369.879.2888.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6481c60b3f1704e32755cdd4/reports/0d5af9cf-6ab9-41cb-9b3b-6bd360bd8604/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d7fa35b0-4632-4732-8fdb-78e165ecb18f

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1251261

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-05-29 05:48:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 37 (59.46%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7xsy7r3x2k2phiwldnpidajsdbo7se27zbnburcwk5gjfmyog3wa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092

AgentTesla

3dcb0606b40e8a5d64da878ee28ae32fcb1c6072aa9a238057548f34c8cdc59b

AgentTesla

420755b65fa49bff0785ce8a56600f1e813f7821fef09f156cfebfb46f8f1096

AgentTesla

4b95211e7383fffec4daeb637c05a257ec7bfdf49de8042de5763da1783276c0

AgentTesla

734da354d0b8c982d436b43e4f8e105382af3d08def6114dfa685d1230bf64dc

AgentTesla

86c51d21c17d07f820d88f41dea0e51f619a66573b72eee4442b50b799e1a73c

AgentTesla

9f05a25d30b22c3d4a8da65f3ef034fc24ed35b97ed418f79d3af4def9f7ccdf

AgentTesla

b060f747e4aa941b42d475cf40290b6211911e1e949d8a2df0705660cd014996

AgentTesla

c38e4548406946201b3324a25a8aa3854eb75a25465965447fa94f5dee97f8ab

AgentTesla

+ 2'408 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230608-pea5psfb85/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

79196b422eead796a5f236832b3444c0e2eaf2076f8947c61ddfe2a7ca0f27ff

MD5 hash:

526dbe0e7d014d3ba9aeb1c73a7e0440

SHA1 hash:

d5693a5c42e9407a3897f67dca0c15b809e5eddf

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/8373d543-6367-41f8-8c23-25e9aa6f6186/

Parent samples :

7b0134022faef8ea8b527241b3dc2e74457b4b05fbe029eb9b0e9bc4d1206453
fbb8dd09df0e0c79dcf488c021765e4fa915ca3a490ea45a78b622565e920f1a
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260
5e949730956708626bb6db283bf7962841aa18848b79a951e84bd29070bddd3f
c498c88360de57bc9aafce102efe582a988ca1859e1f4fba5914a0b02e41a2fd
62d357696687f648091816eca9e33634cdbb61059b37005fc990f926d9f5860e
cee5014c188dc40530d3945c7bb1e2f544f185349e06d6a8a49c9ae9faeafb4a
9b39264190816a89d1eecefd725d8a91ddca7d3c6cf05445025d73c5b7360584
a7bd440cebd598d5baf8741864d87849def7fdd5bd97f35d4b4d5c558a3376c6
1c5cc71cd847d8a2679ec629b631b4d7e1082e7126022ab26ff015298d93a61e
767f8a18d7d28b82d76fd39c3ae639d352659110a6bfa1a4b929f136e034ca8d
369589e738fc8b7e8e74ae15fc398639e3ed906982c7244705a66875cca0a611
99ab8536c0da1f4eb60edc3b8b848de23de618127baafcaa76ff80ab9b9ebf59
a62a229c3b4cf8ab99889409867fed1758148f1187f8afdca2e29fa3b79239d3
85356ef96af996a05fb53ecdaf9b2559a05d0fc23874e8b97a64a46a28ad498c
1302dd8497ba8909d81dce0a4069767bc358b0879443c1982ffea0292f9707e3
a96e05074cd3acbf563b6e88b123197a89260f2c6898f488b2f486c95892a3f5
a7844d54db8f79a6c878de38086ea87e7bd11ecc16f0550f2258b6cd134392e6
e3cd7dbd437ed0c0b5cef54a5d46b44bd63e656175ce1ec0cd669af08c4482c9
228d7f101a604736db5019b9a13d7601003c76a7c55d67a4b1bb42a7c62ea9b3
88ac7d9f157d80cb2aec269591e6386fc57ddb114d129a439ff66a596baf7f7b
fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec
23a80d3ed45bf211ad90814dd5180e6a9d1cc9427d354bcfe344a44537f1d1a5
c7709eedf4730a691a8ae7d73a0e8ccf5642c97317428947a7f6257ed6b30d6f
b92d18e28a0d9818d6b6cb017a1840a5f4786fd32287cd89e71646ebaba74866
b0d9e970a53d36e3238693badcb386b0a7b3abf5331cb9b641f5c606899ce8a4
ff79d1ebcdc848810a296694b628852b7331629d9e0802ff2dc3ff79f7a7344c
04b4ec7781de78306b3a40756ed05d29fdcb63245d48e37ec934010fbf78cbbc
55f3d17f0bab350032e410b1641d63ee3e4a83a87201c1f66f415b71ada380e4
0b048d863c3b5219beb927aab90b4b489b9929dc6959ae7e52c964bf3b80bbff
245a3e28e1419522b57181cd700a2df90cae1da066c181329bbe458639b2f2a8
815156bad70a59b55681690c8b2e48ff3be7703d45131bca0a486a5247dff35c

SH256 hash:

5977d1ae75daf6da9d98994650637082594603330f2db72332904d654f361559

MD5 hash:

2cc8b7ee83d48ff0db4755c6c5561bea

SHA1 hash:

c5d0bcc023b7591741b0690b8832fb6d160fc053

Link:

https://www.unpac.me/results/8373d543-6367-41f8-8c23-25e9aa6f6186/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/8373d543-6367-41f8-8c23-25e9aa6f6186/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

4deef56b035550fbfa1b67294a53c162d3ae1993189f0477da6248f1e3932d42

MD5 hash:

7ecbf5c534d32a192db282155fbd677b

SHA1 hash:

9508e480b2d70d55dc75ada6487edc9b096f901d

Link:

https://www.unpac.me/results/8373d543-6367-41f8-8c23-25e9aa6f6186/

SH256 hash:

0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0

MD5 hash:

34e9924238cc9c184aed0f7e0dd905ab

SHA1 hash:

42e0e3852a327ae2d232858ba41fca9cadd628db

Link:

https://www.unpac.me/results/8373d543-6367-41f8-8c23-25e9aa6f6186/

SH256 hash:

fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec

MD5 hash:

097db3d7b5f2d5c94d45e96274f6c219

SHA1 hash:

3520ea144518235ee7bd0f0e6391bd50c948d42e

Link:

https://www.unpac.me/results/8373d543-6367-41f8-8c23-25e9aa6f6186/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fde58fc777d2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fde58fc777d2b4f3a2cb1b5e818132185df9135fc85a1a4456574c92b30e36ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/396954/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample