MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511
SHA3-384 hash:	0006c45a55360500ce58ea35135ecd7ab225699704683f94be3adde3c38e1831c0551e3493d38023b7ae0afd6b2e1817
SHA1 hash:	10026b79989ef8920e15d6210c27865267faa1b0
MD5 hash:	959860993197f8ad86fdd7a195009674
humanhash:	crazy-fix-washington-connecticut
File name:	4-33D-23-KM - MAIN ENGINE SPARES.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	753'664 bytes
First seen:	2023-09-26 17:16:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:R0WWObWqLR1lxhkYhc2IBX8K9kqaTRR5D01Z3qDSVpN/7oaM373bZTS9UilqFW:+4JxDGtkqaTH5DyZ3quN0a63bc9Uilo
Threatray	102 similar samples on MalwareBazaar
TLSH	T1CDF412B6B3F88A6AE15E11BC452580154F3326172022C7A979DEB1FE4F957811B07FB3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	61ccae5d69b28c61 (9 x AgentTesla, 6 x Loki, 2 x SnakeKeylogger)
Reporter	malwarelabnet
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

305

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

4-33D-23-KM - MAIN ENGINE SPARES.exe

Verdict:

Malicious activity

Analysis date:

2023-09-26 17:21:09 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/79432db8-1dd0-46e2-b00b-3982c0c8a715

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/451324/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6513120f32ffdb7a7a1526ae/reports/e9f969e7-bd60-49d1-802d-93b8fdcce0ec/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/362dcc99-370f-40fb-8361-053f83de5ef0

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1314729

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-09-26 03:56:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 35 (60.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=suqw24p76ebisjmzvqwd4etuftdip24kwpxmwr2tm33juobjouiq._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

2ae4e8a0670ccf4c27523323f5d40c994709abf7cd7336ba7c48ee50861430df

AgentTesla

3b79e392617523720c040a2e0b39f0ff47593a420ecc9edcb9cd8b9e1d7baca6

AgentTesla

75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f

AgentTesla

9ffa96e46faf0575d49897cf2babb92f611980b60b539483d162cda6ddc19057

AgentTesla

aff3c6ff3ee41b9772f8e47332a9a6a4681c65b5fa0abb51a621d628fe2f89bd

AgentTesla

b70719f9588ede8d438d20b549b4fd430c9363eea7dd42e8a15be7d2a520257a

AgentTesla

becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789

AgentTesla

de99e6f0be1e9a5d12fa7d4fe82b34cfb6ba6b85cee18e4acec0d7f97593bcbf

AgentTesla

+ 92 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230926-vtn8rsdc89/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

5ec2db7731d55e932432b2ddfc4587d20a6abfb77699d24aa7dc5ab16b078bd4

MD5 hash:

e605e4995babfb835c676729e26e7256

SHA1 hash:

b2827dedacbf29aeabdb4d4ad30cabd87e646a9a

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

Parent samples :

28375a1b1f2ea0e88846a60930ad76d4c68bd3f0545daebced5fb64fca085616
95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511
29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e

SH256 hash:

8f5c0c2eb2e763b06d10926f06ebbfc411e58bcabcb0a0a39257421e3ade308f

MD5 hash:

d04d4754040256cfad2c243631de5125

SHA1 hash:

5ebe5172272b91403ebf8ae5aa4c6a2d1630dc87

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

8166edc6402990e60b92312dd5e6347d8579bfff3958e37bed5cebc316705c5b

MD5 hash:

5cad89fc586f13bd55a4788c995ec3d9

SHA1 hash:

e767585176f1a7ca61ca7a8b732f791a4f883c45

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

63563be1b52bb81ae67c1811ffc9f6c4fe1f8f78ba7af064c604f8b530126497

MD5 hash:

cf3d0cfcd931528b09721df99c15f3bd

SHA1 hash:

dd78683262154b4ade2c6bc002fadf8b3331260f

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391

MD5 hash:

1622a62bf6805b2dca82a8632eceac71

SHA1 hash:

071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

03af41e85acf76ff40292f1fb3ba65dcf5979ce62a0652d302c2eba5d6073699

MD5 hash:

6c94753ff814c748ed7aa9b75f4e1653

SHA1 hash:

fb4bf9932f4cce746d104d8882d43a3bad4d0953

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

ea0ee7c3b016eee3250146f308021331921d5a11ce3f3d726515c709ed431e3f

MD5 hash:

03b93bdd7143bd9a0e3727574578c9d0

SHA1 hash:

3c560938953e2a57c905dd800d8b185e4bb2763b

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

0600d7c63154b536433aca1f873844b7af1e02dbc5fe97c7be170d462a51a8e5

MD5 hash:

37764914c5b05a0998295aecd25fc306

SHA1 hash:

3a5b8dc8faee0c31dc2581007324c632862e453a

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

2667968fc4f82b4da7ed1207708c7dbd8b2e43bf1961f2d71b87d15cb4c66962

MD5 hash:

cefb5d52e9f027b2c32d194c27743477

SHA1 hash:

385a3074f02833b1ac9feaec29f63c0f06fe1bbc

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

39597721cc4deb29130f72f7f51132207b99712dde663b94147f754597de02a5

MD5 hash:

39b5ff04930403afb0b42303ac1a9c5e

SHA1 hash:

0931711bed1266750ae109153e741ed6f19da152

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

6132514e2c75744c36fe1ec357a15bd9abe912f53d594ad79ce692a7f094def3

MD5 hash:

cdf5e91b9ab775eebe82776330639fe2

SHA1 hash:

052ae6486d87a218454dfa7cbe7c077e2746bebe

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

SH256 hash:

95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511

MD5 hash:

959860993197f8ad86fdd7a195009674

SHA1 hash:

10026b79989ef8920e15d6210c27865267faa1b0

Link:

https://www.unpac.me/results/6767cdec-cc67-46fb-a258-4063958a14fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/451324/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample