MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdebc445fec70be18126e1a19174c6db08efaf88a62da477e91c078fe01df740. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdebc445fec70be18126e1a19174c6db08efaf88a62da477e91c078fe01df740
SHA3-384 hash: d13c30933c794d24b513a9bd774106b50fc5992678f61b940fddb2b769013c9427abb069e2fcc9ab9c8bd4b366d60c2d
SHA1 hash: 6171f8547737bdb8452c7620e2fd9e50d335dcee
MD5 hash: 439c5fb843f29f26aa1fae89e9afb5fc
humanhash: fillet-carbon-neptune-earth
File name:Prima copia.docx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'200'640 bytes
First seen:2023-07-12 06:00:23 UTC
Last seen:2023-07-12 06:43:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:bas82ZTsgo2FrznqaUpmcLWxV9pNGeqG8LJMpigBAc:2STVbuKxV9pNEYpigBAc
Threatray 509 similar samples on MalwareBazaar
TLSH T1E2450123314CE282C92A123AEB43F41D3E6563B3ADC097AE64C5A1FF1865E4DD633B15
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e4ccd4d4d4d4d4cc (1 x AgentTesla, 1 x zgRAT)
Reporter JAMESWT_WT
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Prima copia.docx.exe
Verdict:
Malicious activity
Analysis date:
2023-07-12 06:02:51 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/2e9deab3-e513-4746-bca0-5ac1228d5320

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416233/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.22370.23667.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64ae41a2057bff26cf2329c2/reports/1dd46b8f-b772-4ff9-9cf0-14c94974afa8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fdebc445fec70be18126e1a19174c6db08efaf88a62da477e91c078fe01df740
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76d9a2a8-5c56-4a6a-831a-fb1e14040d17
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271418
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271418 Sample: Prima_copia.docx.exe Startdate: 12/07/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 11 other signatures 2->38 6 Prima_copia.docx.exe 1 5 2->6         started        10 Pcegbvsgr.exe 5 2->10         started        12 Pcegbvsgr.exe 4 2->12         started        process3 file4 22 C:\Users\user\AppData\Roaming\Pcegbvsgr.exe, PE32 6->22 dropped 24 C:\Users\...\Pcegbvsgr.exe:Zone.Identifier, ASCII 6->24 dropped 26 C:\Users\user\...\Prima_copia.docx.exe.log, ASCII 6->26 dropped 40 Writes to foreign memory regions 6->40 42 Injects a PE file into a foreign processes 6->42 14 InstallUtil.exe 15 2 6->14         started        44 Multi AV Scanner detection for dropped file 10->44 46 Machine Learning detection for dropped file 10->46 18 InstallUtil.exe 2 10->18         started        20 InstallUtil.exe 2 12->20         started        signatures5 process6 dnsIp7 28 ftp.svetigeorgije.co.rs 157.90.84.32, 21, 49453, 49716 REDIRISRedIRISAutonomousSystemES United States 14->28 30 192.168.2.1 unknown unknown 14->30 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->50 52 Tries to steal Mail credentials (via file / registry access) 14->52 54 Tries to harvest and steal browser information (history, passwords, etc) 20->54 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fdebc445fec70be18126e1a19174c6db08efaf88a62da477e91c078fe01df740/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 05:09:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xv4irp6y4f6dajg4gqzc5gg3meo7l4iuyw2i57jdqdy7ya565aa._file
Verdict:
malicious
Similar samples:
05c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
AgentTesla
114210ddeecbf5dd4320338e5a3c5a156841ae1390732a2b71e324f161e32932
AgentTesla
26824a60b529f933c81dbd8c9da85bf8962feab2a7c99dc7ee30723598836d5f
AgentTesla
48b40f42261aa76d3629cfe995b93dfb0a448c2cb1ef513e420c3ba39a57e24b
AgentTesla
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
AgentTesla
53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2
AgentTesla
97b9d63fe195249b2862a13c72cc88f4cb736f846eb91188de18984c231d168b
AgentTesla
a57e1b10f18f7eac6214057a6ee22445d5c9355eeed2c842977445f0a143cca4
AgentTesla
ae615dbfdd6c83d6d78670be7b535f817cd3adc5f50ad4684b9f1b2121523acf
AgentTesla
bb90c8c39ba60347b2d5f2a73a11f9c1f9f7e16251ca3098e4c087257bcce09b
AgentTesla
+ 499 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
collection persistence
Link:
https://tria.ge/reports/230712-gqw8bada8v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Unpacked files
SH256 hash:
87ef3aed69d62b133fbd6c68080b25cf15207d377e3d37823da0ee4035496a0c
MD5 hash:
452fbb63e973a384af6138015141613a
SHA1 hash:
5db7a1e1072e423f1dfd10e957fe730fc46ebda9
Link:
https://www.unpac.me/results/1fa28302-17f7-400a-8a3e-dc016a2727dc/
SH256 hash:
4c15d30e60da10164ef4c67b0f6d25025ba09e17098dbda3086db6e8872229bc
MD5 hash:
45e42190775e8c17787060d29d7dba8b
SHA1 hash:
57182ab83f03f9938c889ced607b46ae76a1b8c7
Link:
https://www.unpac.me/results/1fa28302-17f7-400a-8a3e-dc016a2727dc/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/1fa28302-17f7-400a-8a3e-dc016a2727dc/
SH256 hash:
7867d307ede4e622ca8000e307deb309eecef6f5e41bcac7e1d2f0a2e2805d14
MD5 hash:
4015d985c965c196ed531e5acbc99b67
SHA1 hash:
1e9c50405617be858c2f46209033b61a17570a1a
Link:
https://www.unpac.me/results/1fa28302-17f7-400a-8a3e-dc016a2727dc/
SH256 hash:
fdebc445fec70be18126e1a19174c6db08efaf88a62da477e91c078fe01df740
MD5 hash:
439c5fb843f29f26aa1fae89e9afb5fc
SHA1 hash:
6171f8547737bdb8452c7620e2fd9e50d335dcee
Link:
https://www.unpac.me/results/1fa28302-17f7-400a-8a3e-dc016a2727dc/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fdebc445fec7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/416233/

Comments