MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d
SHA3-384 hash:	169a70e9422fd94d2bf2d7bdac7a32375f70fcde4a9ad8d93fc82ed744d412c7753c02d1c5e8ec7154de759097becd30
SHA1 hash:	6a7934272c41f367ea106c41d16412b20bb5539b
MD5 hash:	4aeb0f6ae39ff8c68cd398029b370486
humanhash:	montana-fix-east-table
File name:	TcSzPgyAqC1WEJQ.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	797'192 bytes
First seen:	2025-03-11 06:51:31 UTC
Last seen:	2025-03-11 07:18:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:Q4uc154pdTV8IFWqwhvGHPGIR4xDzPrD910zwCZJO3uKHV+xpq/nTZ7ZCzX33fyu:Q4ubd+/RWG19GkCJK1l/ntIzX/yu
TLSH	T12805F1447724F99FDB6A4DB04913EA3183B02E7EA15AD3C19CC7ACEB308DB859A14747
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	AgentTesla exe jeanclutchgroup-top Spam-ITA

Intelligence

File Origin

# of uploads :

# of downloads :

486

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

TcSzPgyAqC1WEJQ.exe

Verdict:

Malicious activity

Analysis date:

2025-03-11 06:49:17 UTC

Tags:

evasion stealer exfiltration smtp agenttesla ultravnc rmm-tool

Link:

https://app.any.run/tasks/8d49df1d-6257-4815-b0d7-dbed0cb07d05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67cfe08f0d1b39e3a208f094

Tags:

injection obfusc micro lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature obfuscated obfuscated packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/67cfddcd3c5f644bd94cb284/reports/86ab9406-0bc8-43cd-b19b-a50f677aa502/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14633bf7-a012-41b0-9608-34b83c9687de

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1634939

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d/

Threat name:

Win32.Trojan.Genie

Status:

Malicious

First seen:

2025-03-11 06:48:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=73ag3z6qifcph54dp4npeopeo3m5np23o53jeqfhcrov26v2uygq._file

Verdict:

malicious

Label(s):

unc_loader_037

agenttesla

Similar samples:

error

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250311-hndhvswwhz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/65182f86-fbd0-4fe3-8768-5eef85cec7c3

Unpacked files

SH256 hash:

fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d

MD5 hash:

4aeb0f6ae39ff8c68cd398029b370486

SHA1 hash:

6a7934272c41f367ea106c41d16412b20bb5539b

Link:

https://www.unpac.me/results/1fd3b8ea-ffe1-43e6-94bf-edd1f8f15ed9/

SH256 hash:

4b426024b9cdf08bdb71505a901b732b0b6c48d637ecea6790d58dccbcf03043

MD5 hash:

4509d0ed4ee0591712932d1d86316d39

SHA1 hash:

02b028b48411a48b1998e6653212a8a398a42a81

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/1fd3b8ea-ffe1-43e6-94bf-edd1f8f15ed9/

SH256 hash:

f0c6b238432014bdff20c7cf0aab90f8eba2cf8800ce5ac501e2a1262cb26fbb

MD5 hash:

76d676960d9fff9c0e33e5068ec3e9d8

SHA1 hash:

61d4d469a28029eb9f5a68463ab21529a2ab4ced

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/1fd3b8ea-ffe1-43e6-94bf-edd1f8f15ed9/

SH256 hash:

c5d3cd63dc64a4dcae62501ea162d1bbdbe69fa680a09eb6a20cd8dfdedabe0c

MD5 hash:

39282b6235ed024a94de88491a3abe02

SHA1 hash:

6d07033795deef573e7dd521c63a7469d936b859

Detections:

AgentTesla

win_agent_tesla_bytecodes_sep_2023

INDICATOR_EXE_Packed_GEN01

Link:

https://www.unpac.me/results/1fd3b8ea-ffe1-43e6-94bf-edd1f8f15ed9/

Parent samples :

646456f832bf387fc22d1c5a26e2adb6473c19045994a54948c0dc07aca07022
646b946b30b9ab434115d2527ef526a6cda507a315b3ddfdce1f3fb6159f95aa
9a6f5e16552d185a6bf7d82cafe02a49a982066ab8035c175bcbd7d0ae0c550f
64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe
fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fec06de7d041/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.09

Link:

https://yomi.yoroi.company/submissions/fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample