MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a
SHA3-384 hash: a145e9336c499fabb3ee3fc28b7b39f5e310dab0f8675f165967b426cc06428fa33603e51e846cf843d083f7d6daa948
SHA1 hash: e34e991b852d3200a106923bf77a43f217eb699a
MD5 hash: 04da4ce60b26bff71c2064495350caea
humanhash: magazine-foxtrot-golf-triple
File name:scan_pw_500_349,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'105'920 bytes
First seen:2023-10-13 07:39:29 UTC
Last seen:2023-10-13 07:41:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KFWTNgrMUMybZKH6B0Dw+pGyCffQVdlfQx+k3tbKq/GD5yX:4WTN2Ka+Dw+pwffQhfQx1b6
Threatray 84 similar samples on MalwareBazaar
TLSH T13835142C0CF809124161E1AEDFD8EA57B2C08CD6664C9D9687C68F995A1393BF09FD3D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
scan_pw_500_349,pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-13 07:42:13 UTC
Tags:
formbook xloader
Link:
https://app.any.run/tasks/c59e3ddb-7def-4377-a1ce-75912ea2b7db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/454059/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin packed replace
Link:
https://www.filescan.io/uploads/6528f453d9aa1327018194b2/reports/abbe6120-1609-42f5-b578-852de333bda3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66ecfcfe-944b-4da0-9679-137dce6a2f44
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1325160
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Uses netstat to query active network connections and open ports
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-10-13 07:15:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 36 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqoxqzvvxyzbdartqlbpdxtl7naohayoprccozhwsb23ver5pwna._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
26c004fb03af90aee24cbe0edaeb758c87e8835ce235ecb49b1e0c1eecf17538
AgentTesla
3bc486f0fe0705dc71bd7f103965c5708a878f908ed0ff11ab973af842805a80
AgentTesla
467c52a90f7d13e15318cd8c68ccd3483f7de5c728d1137916b1f440aa1e10c9
AgentTesla
5706d8958701b77e315dcd2d850bb5028518dbea8a851d84680f15b0669430f5
AgentTesla
71e47c516e0fc4c7fa136f0d5abb1fa130ccf34ffea2888c072439311c8aa307
AgentTesla
988ed9d6f58307ca4d5d42471240d5fbc37f31b5bc0e1007869ffc22f12571b2
AgentTesla
c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910
AgentTesla
cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff
AgentTesla
d3a569372c48f3d7e725e39cff6ac165ae330db00fe42ef3916b9db2c94c0126
AgentTesla
ea2adbcb61a20497bc442d31600336a93659f5b38ee367fa83c0a996b0912e83
AgentTesla
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231013-jhjclahf32/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
86a4e50e67914d2c939ac004ae05491f2c9034f9ff46fccf7c749330c54dc861
MD5 hash:
a5399bfc669487ffa7254c839612d963
SHA1 hash:
3617ae1f4c3defce474fa7093c1ed0fc10f0f309
Link:
https://www.unpac.me/results/e806d5ab-3910-42f9-a7d0-4ddd3bab824c/
SH256 hash:
deead051dfd04428f2f576e88e09a58a91b5b47325493b26839bc5399ae5ac8c
MD5 hash:
982ee0b0e8d18f283e048d9b768930b1
SHA1 hash:
8f3ff6f9a0f0f53434b3fc31e87af1c1f8b5343b
Link:
https://www.unpac.me/results/e806d5ab-3910-42f9-a7d0-4ddd3bab824c/
SH256 hash:
a040efb5ce92995b5d40fd2536c8ad6a93f2d8584a3dd52f07cdb0b34c9e6e29
MD5 hash:
a5a52675690de850e3de6c05a9bd885f
SHA1 hash:
fd953edf2e910fbb43c9e6d4c8d48632bb4e55c6
Link:
https://www.unpac.me/results/e806d5ab-3910-42f9-a7d0-4ddd3bab824c/
SH256 hash:
903ff173dc86ac544678608c19f3395f06c9ce526bd27f4913b7d0cf80611e77
MD5 hash:
f4e9340dc77dbc344fd534f8aa5e8171
SHA1 hash:
841d43f74d7587ce89b660d753f222acfadff0af
Link:
https://www.unpac.me/results/e806d5ab-3910-42f9-a7d0-4ddd3bab824c/
SH256 hash:
d511c0658340ec9d35d8f08fd22ae55c6aeebcb52dac453040817a6f9ffd7e43
MD5 hash:
3ac67cb9041168e636198401f53d857b
SHA1 hash:
6207398f41db994130c80150a0c2598045e68b45
Link:
https://www.unpac.me/results/e806d5ab-3910-42f9-a7d0-4ddd3bab824c/
SH256 hash:
541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a
MD5 hash:
04da4ce60b26bff71c2064495350caea
SHA1 hash:
e34e991b852d3200a106923bf77a43f217eb699a
Link:
https://www.unpac.me/results/e806d5ab-3910-42f9-a7d0-4ddd3bab824c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/454059/

Comments