MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 6 File information Comments

SHA256 hash:	b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786
SHA3-384 hash:	fee789acc24970425fdf47edd5298b0f26f64f7f57c9a8240bd6b23dd2e1853d9337586d892709137af4afad07e96c68
SHA1 hash:	2a1e127f06947d1bc92b94f6c487068a0ecbc2a3
MD5 hash:	11803391d6ac804ace70687f726a28e9
humanhash:	gee-charlie-freddie-hawaii
File name:	New Quote Equipment dated June 3, 2023.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	276'001 bytes
First seen:	2023-07-03 08:10:29 UTC
Last seen:	2023-07-05 13:04:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:vYa6QFgefJRfbSay6aGe5AllDO9R0cM59HQtctLVc:vYWOkRznyjTAvDODMDQGlS
Threatray	4'615 similar samples on MalwareBazaar
TLSH	T10C4412502BC1A5ABF93347B272AB439E65BBA5121C58B64F37001F5E7C705D28B0EB63
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	cocaman
Tags:	AgentTesla exe Shipping

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

New Quote Equipment dated June 3, 2023.exe

Verdict:

Malicious activity

Analysis date:

2023-07-03 08:16:55 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/24b2272b-a1ea-45f6-975c-d25940941fdb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/405763/

Detection(s):

Sanesecurity.Rogue.0hr.20230703-0239.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95199/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/64a282972299d26882644efd/reports/b1f54deb-a51c-4fd5-9634-4856eea261b5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/826255cc-1f5e-4460-9e8b-92284b8ca954

Result

Threat name:

AgentTesla, NSISDropper

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1265633

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected NSISDropper

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-03 00:26:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 38 (81.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=whcpeucbtaafzesfffmy4oqohdpuskpoisd2g7wm7dngevjtg6da._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1

AgentTesla

5b8c0c56e48b1a5046c75da4416a009d3c9e00ab046223139551ba6c7126e4a7

AgentTesla

6648b8b1ded4b81559713a9ef6402b5a05c6d439b40c044123ab7e765d50d241

AgentTesla

a5d34ece4e0c8709f29adb00104f06ec740cbd5aa4e1c144c911fd16f5494ad1

AgentTesla

b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786

AgentTesla

ed970f5692d7a2e1fcf63f57635b45304d047c2d0f3b854dae2a39bff7e9707a

AgentTesla

+ 4'605 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230703-j3ak7agg81/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

Parent samples :

bd474569f1f7ea440aed8f54a561f6f8a7467aadbc053cb8fc8191414b642b8d
1b5d95e350eeadcc8bfe9f36eb86c0997cb3b0c5f2cecef544b84efb8abdace1
b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786
5b55c1189d8a5080141c4fa441f8e88133a3786bb7000bec83648eaf2086ba54
32abb7f0c67327f53e15d72bdcfe4697cfd27da618a0d81a00a81491372a8392
b50c84cec54cb91b20d9dcef3df35a5936d5d81a029c49b737c85f12b5cd861d
a6ff3a070e5e8fcbf4d1da9ee062b9fd91e1773e17f27c86310b13747739fb2d
ad942fc486c91d8bd5c3d1ab5266d94582b10ea8ac3f284c6914d8c0e1542af8

SH256 hash:

ba815e73f6a35bcc152c8ef62d6d7ae2dc58bff478605725bb9f2271c6161285

MD5 hash:

b47997f2fd3241a8994ede9551f64e81

SHA1 hash:

be6e025f9b6650486fc4a56eef2cd0f4d105061d

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

SH256 hash:

d4c63a67770da197cddde77817164662ad355611ca36205f16d0dc702c4cf3a2

MD5 hash:

a38e215c4ecc019ac34d8abe64c491de

SHA1 hash:

571b3c9593651843d3e22bd239eacfcf9cc39948

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

Parent samples :

SH256 hash:

ba815e73f6a35bcc152c8ef62d6d7ae2dc58bff478605725bb9f2271c6161285

MD5 hash:

b47997f2fd3241a8994ede9551f64e81

SHA1 hash:

be6e025f9b6650486fc4a56eef2cd0f4d105061d

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

SH256 hash:

d4c63a67770da197cddde77817164662ad355611ca36205f16d0dc702c4cf3a2

MD5 hash:

a38e215c4ecc019ac34d8abe64c491de

SHA1 hash:

571b3c9593651843d3e22bd239eacfcf9cc39948

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

SH256 hash:

686cf9d8821f34c46528a5683bfbb7f09b96257cf59f36b14bcbee12d5c7152d

MD5 hash:

91cdf1744712d4839c1837d00182a8ff

SHA1 hash:

e7e6952939e6f1d6159fe856dee7f57516ac9c8b

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

Parent samples :

SH256 hash:

ba815e73f6a35bcc152c8ef62d6d7ae2dc58bff478605725bb9f2271c6161285

MD5 hash:

b47997f2fd3241a8994ede9551f64e81

SHA1 hash:

be6e025f9b6650486fc4a56eef2cd0f4d105061d

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

SH256 hash:

d4c63a67770da197cddde77817164662ad355611ca36205f16d0dc702c4cf3a2

MD5 hash:

a38e215c4ecc019ac34d8abe64c491de

SHA1 hash:

571b3c9593651843d3e22bd239eacfcf9cc39948

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

SH256 hash:

b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786

MD5 hash:

11803391d6ac804ace70687f726a28e9

SHA1 hash:

2a1e127f06947d1bc92b94f6c487068a0ecbc2a3

Link:

https://www.unpac.me/results/fac331bf-6388-4c6c-9589-b4e6f60ea892/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b1c4f2504198/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1c4f2504198005c924529598e3a0e38df4929ee4487a37eccf8da6255333786

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it