MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
SHA3-384 hash: 373338f123611de144bc42a31e4496e0437eaead93428c22877015aa42f33e1592cde0c024364c48e3be7ee63cddb08b
SHA1 hash: 048531ddad7567578273304cd0936b096f705c36
MD5 hash: 53143b416328179a93869f8951a360a4
humanhash: aspen-football-london-oregon
File name:PAYMENT COPY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:772'608 bytes
First seen:2023-05-30 14:52:12 UTC
Last seen:2023-05-31 06:03:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Yu2B0xTGlxNqvNu2hZ+nUEsn9xlYex3upGg29lHwsws24O9I087uKaMi7CL44fn:YuLaVUH999xup8OfP4O2/uKGw
Threatray 1'964 similar samples on MalwareBazaar
TLSH T13BF4F155B1BB4B1BD0BB53F58904A2381BBE569CB872E31B8EDBF4D71916F014980B23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
299
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT COPY.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 14:55:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/413362cf-2f1c-41de-b615-b0ba73591ed0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393623/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.9396.26724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/64760dce4a06a5cac15871b6/reports/24e78680-fcb3-4cac-b790-518a9e0e9fbe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f135155-213b-45dd-8dde-98bead2cd4b1
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245402
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878408 Sample: PAYMENT_COPY.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 7 other signatures 2->80 7 PAYMENT_COPY.exe 7 2->7         started        11 XvXcEIVnjOUcL.exe 5 2->11         started        13 sOFvE.exe 2->13         started        15 sOFvE.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\...\XvXcEIVnjOUcL.exe, PE32 7->52 dropped 54 C:\...\XvXcEIVnjOUcL.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmp925F.tmp, XML 7->56 dropped 58 C:\Users\user\...\PAYMENT_COPY.exe.log, ASCII 7->58 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 96 Adds a directory exclusion to Windows Defender 7->96 17 PAYMENT_COPY.exe 17 5 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        98 Multi AV Scanner detection for dropped file 11->98 100 Machine Learning detection for dropped file 11->100 102 Injects a PE file into a foreign processes 11->102 26 XvXcEIVnjOUcL.exe 11->26         started        36 2 other processes 11->36 28 sOFvE.exe 13->28         started        30 schtasks.exe 13->30         started        32 sOFvE.exe 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 dnsIp7 60 api4.ipify.org 173.231.16.76, 443, 49710, 49713 WEBNXUS United States 17->60 72 2 other IPs or domains 17->72 48 C:\Users\user\AppData\Roaming\...\sOFvE.exe, PE32 17->48 dropped 50 C:\Users\user\...\sOFvE.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        62 64.185.227.155, 443, 49712, 49714 WEBNXUS United States 26->62 64 208.91.199.223, 49716, 49717, 587 PUBLIC-DOMAIN-REGISTRYUS United States 26->64 66 api.ipify.org 26->66 68 api.ipify.org 28->68 42 conhost.exe 30->42         started        70 api.ipify.org 32->70 88 Tries to harvest and steal browser information (history, passwords, etc) 32->88 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 10:00:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3ugsbvfbrahjjyt4veewmlcjlx6g3z3t77mxdufimnp5vq7oi7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
036f901bbb4baa9472c984aa6c7e9786f252371c85e469d56c656f4b97c47e9f
AgentTesla
3784e3fe1f4905e731a48543d4eb3b9db4e6ae6352f2a5b46974457e1fa0e27c
AgentTesla
6606e8e5dbcaf4e3c38620c97849f456c0bac6999a075575d7f24ed742c4ebef
AgentTesla
697c1f0051fe7230dd1cd8c8a23867cb69912ffe09e0d71950de153b19f41133
AgentTesla
6ba348dfac24550cca10be771bafa25a19f9baca0651f4467c71b8974a163061
AgentTesla
77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
AgentTesla
c8f4d475fb49c545a0cf3137ba0078a30f668fd5f638d3d5a4744c76f3db74b5
AgentTesla
d4bbd5ce6f012df9861c4bee326c87539c7b92b5cbdfb73b54fd7f1321d15eb9
AgentTesla
d7300cfd284114c32015ed2c8d711f8d5c204428e85addd79fc73539c024ca7e
AgentTesla
e28f5580f49499fbe090745eb426fce6b027c44a07f9319dd239826aad4f6d8b
AgentTesla
+ 1'954 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230530-r9ahrsae4x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
98038b763950f8de3efffa83da020669fbd376492deb24c75b25bbd4a1c2ce07
MD5 hash:
aa445eee133a93b202ea105e5de4e232
SHA1 hash:
c0968cfa259d38fb80af27465c314ba889b08296
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/c446d3d4-b493-4bfe-b71d-d99087648504/
Parent samples :
baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/c446d3d4-b493-4bfe-b71d-d99087648504/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
5fd48b050a0181e018a9b627f088f2a5b6664b374aa6f2a73974fad4df6e5d7e
MD5 hash:
8d4d2d7265b8c194edc45792f3de324b
SHA1 hash:
8d44a4ac403f11684f067f32dfa3fafb4519f13d
Link:
https://www.unpac.me/results/c446d3d4-b493-4bfe-b71d-d99087648504/
SH256 hash:
cb6b83d3db38f5b692e6ac72c7bb8644bda225cae3f71b48f2a761b87c493e53
MD5 hash:
7a62e6760680bbe9b77f2e1a9cf0715e
SHA1 hash:
528d7141715c64f08b0fd72380a2f114a5113a3a
Link:
https://www.unpac.me/results/c446d3d4-b493-4bfe-b71d-d99087648504/
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/c446d3d4-b493-4bfe-b71d-d99087648504/
SH256 hash:
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
MD5 hash:
53143b416328179a93869f8951a360a4
SHA1 hash:
048531ddad7567578273304cd0936b096f705c36
Link:
https://www.unpac.me/results/c446d3d4-b493-4bfe-b71d-d99087648504/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16e86906a50c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393623/

Comments