MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16f76c882a6d5cdbdcdc443d1fc80c52411a6768940a90e7864efe6aaca5dac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16f76c882a6d5cdbdcdc443d1fc80c52411a6768940a90e7864efe6aaca5dac8
SHA3-384 hash: 969cc7bc760e29714f64e1fcb53a626ba594350ff93e8d650ba04f074f5338bca57ad23b554eedf0594e65a7a43a4054
SHA1 hash: c3daf12f3b96cdf94a924c34591f35200c81ccc1
MD5 hash: ecbfa8953c4e37bb4033e9c14425a310
humanhash: sierra-virginia-rugby-five
File name:MV XIN HAI 588_vsl particulars.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:497'152 bytes
First seen:2021-08-09 05:33:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:d2bTlwnduKofXRmpvAPvgutJjZayb4Kn:cbRwnomvAg6JQK
Threatray 8'409 similar samples on MalwareBazaar
TLSH T1B1B412827E49C259D1988A33D0D3536217B3BD627A71C00A658CBFA63F733DA6F41B85
dhash icon 00e1e6c6e67c0c62 (2 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV XIN HAI 588_vsl particulars.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 05:43:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8fd6e67-b989-4f32-9180-34379a90172a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177425/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/211f1114-d042-4f69-b8bf-302771af9bc2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829004
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16f76c882a6d5cdbdcdc443d1fc80c52411a6768940a90e7864efe6aaca5dac8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 04:36:03 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c33wzcbknvonxxg4iq6r7samkjaruz3isqfjbz4gj37gvlff3lea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
061a17b2f76f71715dc416c7fa1baa215fa0b9437ebf14fa95a2a16208fc4e8d
AgentTesla
1999b409b4fdabafe9343b5a7d3f4ac0a019fe8f1f5d7ca3caf9fbe051c01ca8
AgentTesla
365f029082236e51ab346d10388e952e52ca1d99e44fa40578b3497b737a10e2
AgentTesla
36ae717bae1f33b2d8726073f934fce844ca94e9eaa3503fb759d7c4b546ae10
AgentTesla
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
AgentTesla
a87fe4d0a4104d38592687a14002f70993af593fe3b05fe293886c8469a0ab55
AgentTesla
e19c08f599af43e73bb73b7183ce1b8a1e6712640d185d6f29ae0cf165bdfef5
AgentTesla
f6a7a0bf925b8afa5152db2c60403056b5d8e53d1daa948be46b123f35e3af90
AgentTesla
+ 8'399 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210809-78grkm5n8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
11775d617be158e5ba10cf2c267f607d7b3494db2585e3ac7764fe1d41ce5d73
MD5 hash:
650634e31f94cd41577cc5fdf8464f0b
SHA1 hash:
b018372d643dcd38d9f11ab88486eb755943a6d6
Link:
https://www.unpac.me/results/a3a24f56-5d44-469b-916c-7318a9a6aa01/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/a3a24f56-5d44-469b-916c-7318a9a6aa01/
SH256 hash:
8b2f4fdbf20f2d155395afceb7fe170e4a8f8bc4e009e7d5215253561b0a30d0
MD5 hash:
c73c2d484be75385846f4b8ab6b3cab1
SHA1 hash:
38de36c9891b9ce84b58c94ec1bdf571490a76a7
Link:
https://www.unpac.me/results/a3a24f56-5d44-469b-916c-7318a9a6aa01/
SH256 hash:
dc6689cfa443faf549c388362146c834af48e52084d6ffc290f12619fd131182
MD5 hash:
7a53432df74cb421ce35e74be3505c96
SHA1 hash:
23d622d06fd63dc4a0f3e3cf26be442ba9b0f2cf
Link:
https://www.unpac.me/results/a3a24f56-5d44-469b-916c-7318a9a6aa01/
SH256 hash:
16f76c882a6d5cdbdcdc443d1fc80c52411a6768940a90e7864efe6aaca5dac8
MD5 hash:
ecbfa8953c4e37bb4033e9c14425a310
SHA1 hash:
c3daf12f3b96cdf94a924c34591f35200c81ccc1
Link:
https://www.unpac.me/results/a3a24f56-5d44-469b-916c-7318a9a6aa01/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/16f76c882a6d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16f76c882a6d5cdbdcdc443d1fc80c52411a6768940a90e7864efe6aaca5dac8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177425/

Comments