MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16b6a06b59af6a99d9d3e19a58561b44b992e7f16a9d4638e4aafe0c5e0fc898. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16b6a06b59af6a99d9d3e19a58561b44b992e7f16a9d4638e4aafe0c5e0fc898
SHA3-384 hash: ce684caac26ccf3deaa76893c352ad3c61ca46167bba1871a9c3502a7b99f9c61b06c60864180167bf5a9264b141e6dd
SHA1 hash: 0f49b74cc7054fc195bccb3f4f7a0c98f5b6f95a
MD5 hash: 75ff6f78ae0de15e573296771a337b9a
humanhash: jupiter-cardinal-purple-rugby
File name:TÜBİTAK SAGE FİYAT TEKLİF İSTEĞİ_xlsx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:550'400 bytes
First seen:2022-05-13 06:51:25 UTC
Last seen:2022-05-13 07:40:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:SmgToOH6Y1i+7WNyT6lZFX4cY+btBJ+A0uH61zd:YMtY0HyTUFH0uHk
Threatray 17'510 similar samples on MalwareBazaar
TLSH T177C4126277A7926AD26B9734DDC464EC4371AF035C23C64F2DED32ADAB7239505C0A0B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270307/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe fareit obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627dffef13f1480a3a19c4d0/reports/c989674e-92c3-40a3-a0e6-29d6c54ed942/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb649179-56f9-49a0-b4ff-739bbfc967ab
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993345
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625841 Sample: T#U00dcB#U0130TAK SAGE F#U0... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 13 other signatures 2->43 7 T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\qZDpEuZ.exe, PE32 7->27 dropped 29 C:\Users\user\...\qZDpEuZ.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmpA248.tmp, XML 7->31 dropped 33 T#U00dcB#U0130TAK ...#U0130_xlsx.exe.log, ASCII 7->33 dropped 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 T#U00dcB#U0130TAK SAGE F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_xlsx.exe 2 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 schtasks.exe 1 7->19         started        signatures5 process6 dnsIp7 35 mail.zindedizayn.com.tr 5.250.243.245, 49774, 587 AYSIMATR Turkey 11->35 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16b6a06b59af6a99d9d3e19a58561b44b992e7f16a9d4638e4aafe0c5e0fc898/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 09:37:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c23ka22zv5vjtwot4gnfqvq3is4zfz7rnkoumohevl7ayxqpzcma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b35160a0221a2abd530bf26c039844ed986971c906fcb6e6feedb8978d076b8
AgentTesla
42512dafdba550788ac548fab586c0f1790c5683c6613e57f5105a3e85ef6577
AgentTesla
4ea32ccd68ea4437adbb5639bbbd2a0098107f16b851ac463a136ec5ecba796a
AgentTesla
58c4b64412b4dd61472d6df712f5ec38b7b2f8d88d6607b90804c4253b6400f4
AgentTesla
7380437dac95a9a8818fecf9148f3bf84a1eacf3715336493fdcc63b9cf329ab
AgentTesla
a2136b933c4487133913d9138887fdca955bb78f9071842a958949112af5e67b
AgentTesla
cdd59ab5b482a9dc7c389ae1fd2530449ff84972315d820524d11f8146c2cc8f
AgentTesla
e2b6d03b8580b415e56ab917eb2f131d1b1086bbcc9fee88c390ec3469ed12e6
AgentTesla
+ 17'500 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220513-hm25tsfhhp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
bf587024be4c3c1897ea50a9152be54d9df140d36e47ef7c84014203df771f8f
MD5 hash:
28723fe9b399cfcd1e1381bb3a8d01ae
SHA1 hash:
70a7a474adeca7b52e077d45a9c8ef8ee82722ef
Link:
https://www.unpac.me/results/c33a5f6d-3f9c-473b-a256-a44580f7bf20/
SH256 hash:
9b2db6a121a613adf35beca6e23d3c3a31c95ae443f1fa9bd0c5ed464a0dc082
MD5 hash:
99e20f97e42082ac424f977aa1adef79
SHA1 hash:
17e0d131c3da8af7a5a3172c125fe70f9171cdc6
Link:
https://www.unpac.me/results/c33a5f6d-3f9c-473b-a256-a44580f7bf20/
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/c33a5f6d-3f9c-473b-a256-a44580f7bf20/
SH256 hash:
632ff3d8fbccafbc0ec82d46273f9a036790df4aeb67078075564ed2aea389f4
MD5 hash:
662d8d5c8b5cc63de3827cf27af2581b
SHA1 hash:
77b6aaebf2ad12c34eb6c861eb70d22b498444b4
Link:
https://www.unpac.me/results/c33a5f6d-3f9c-473b-a256-a44580f7bf20/
SH256 hash:
16b6a06b59af6a99d9d3e19a58561b44b992e7f16a9d4638e4aafe0c5e0fc898
MD5 hash:
75ff6f78ae0de15e573296771a337b9a
SHA1 hash:
0f49b74cc7054fc195bccb3f4f7a0c98f5b6f95a
Link:
https://www.unpac.me/results/c33a5f6d-3f9c-473b-a256-a44580f7bf20/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16b6a06b59af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16b6a06b59af6a99d9d3e19a58561b44b992e7f16a9d4638e4aafe0c5e0fc898

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 16b6a06b59af6a99d9d3e19a58561b44b992e7f16a9d4638e4aafe0c5e0fc898

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270307/

Comments