MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083
SHA3-384 hash: 63a1751955d242704de661ba6a9818a8f1a25beeab9cf3022f932070b72ac8bbe7a049609b69ee2f2b2c09b8bc177b5d
SHA1 hash: 46001bc2e3fd01133aa6f3b6f8d32c5565e12ec9
MD5 hash: a65fb419fa22bd427c0869814f265dbb
humanhash: oven-magazine-earth-sweet
File name:INV_00000009_998.pdf(82KB).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:940'032 bytes
First seen:2021-06-30 05:52:11 UTC
Last seen:2021-06-30 12:41:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:6D/2ZQrYy6TTvMsgFNLihltz/q5RfwsxRyIGvKzyl0N1a+SaVB0PJ2HP27SJYJPe:NZQYrvHgFwlBm+2Ryj0i0N1aa0PJ
Threatray 6'210 similar samples on MalwareBazaar
TLSH AB157CAC325035DEC567C6BACAA8AC74A6613C7A431B8107909709DFAE4DB93CF105F3
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV_00000009_998.pdf(82KB).exe
Verdict:
Suspicious activity
Analysis date:
2021-06-30 05:55:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fff4934d-fce2-492f-ada7-2910a2702eaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168877/
Detection(s):
SecuriteInfo.com.PWS-FCZIA65FB419FA22.11899.12363.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b8ff7be-7c44-4832-ae34-0a838f82c1b2
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809764
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 03:13:41 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c36dodstbl654bp6ihryqivzgv2hy6ckzc3lxsfd65rdsfno4cbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1716fb9522debc0dec5a177f2d295fb7a0dbec1439c59f02a4643d749b065024
AgentTesla
28df700cb8f6a7100d2cb20fcb51cd53dad822386d51701dbfbda945c4d2bd05
AgentTesla
3e48d983e3315501931c646f896a8189637f5b9d21c453b051cd17f2584ee3c4
AgentTesla
9805afbc4ec53bea5c08ab912445f1a9e34791eeaaba6c8ec0d50223e2c6005b
AgentTesla
a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
AgentTesla
a997db748e940751ad67b16d4d58b0a4684c4106dd751f52df9d49bd67b9e9ea
AgentTesla
bb739ce9108a4b006bef55dd1e9d2495e482dacef0bb081a71aa946c95634080
AgentTesla
da6c75ea9a77810c91f9376280a0c7c0a28d64aabeba095b53b2c026be24a41f
AgentTesla
dd5a14637f0373f0833e003675e13c4039423d402013d89d85ea345c5d2df963
AgentTesla
f8e54878f6a6f4f3679e0c4d8d53c97ca26c9fde2ff78ace60d6226d8794fffc
AgentTesla
+ 6'200 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210630-gv7zyr9h1e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
3b77679e313571bdac01dd4b17de373584dafb76621172bcf8a9abbae1655972
MD5 hash:
d8cbb65be7f2396beb98ef8699411dfa
SHA1 hash:
b3c05d6936825d99a9083b0da3b60287bb97abf1
Link:
https://www.unpac.me/results/b606431c-64dd-4e16-8b44-c5c5289440b3/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/b606431c-64dd-4e16-8b44-c5c5289440b3/
SH256 hash:
8af433874b78acb3d264b481b8e1bcd45dd87c2da4cdf7efb307551b4787f478
MD5 hash:
d7a0ffbf80d3bee13df691729854ca6d
SHA1 hash:
42f38ec5a621f359562bbc51e27ff4c201aefa46
Link:
https://www.unpac.me/results/b606431c-64dd-4e16-8b44-c5c5289440b3/
SH256 hash:
16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083
MD5 hash:
a65fb419fa22bd427c0869814f265dbb
SHA1 hash:
46001bc2e3fd01133aa6f3b6f8d32c5565e12ec9
Link:
https://www.unpac.me/results/b606431c-64dd-4e16-8b44-c5c5289440b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/168877/

Comments