MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4
SHA3-384 hash: 575369aa7df83ff69f25da1e8ff9b7671bca603e8511c15ad8fd0ae3639fa8022a39e5bb3faab0a3675570c76ab12748
SHA1 hash: d0a860f242a6fe8a52490eca7bc3c886eec73c39
MD5 hash: 35b02f4fb30db82436b28b952fb3b8d1
humanhash: asparagus-tango-echo-princess
File name:DRAFT COPY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:319'392 bytes
First seen:2023-02-17 09:57:30 UTC
Last seen:2023-02-17 14:28:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:/Ya6Qy5KQVO5G4jVRV777aCCTLuXbpMSEDx4kQo51nkP:/Yu2dO82zi2XbpREdT51nkP
Threatray 3'547 similar samples on MalwareBazaar
TLSH T16A6412503394D867F87687353E7B829B2BF9DD0254E14B0F23A067A87F62762C85E760
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe Shipping

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DRAFT COPY.exe
Verdict:
Malicious activity
Analysis date:
2023-02-17 10:02:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77cfc714-37c9-4c2d-9f91-1d23c7c4a705

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/367606/
Detection(s):
Sanesecurity.Rogue.0hr.20230217-0634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71220/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63ef4fc0c7a082600e466502/reports/9f26045a-c287-43fb-bf7b-9495b08d369e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d1dccf45-2bcb-4b95-81d3-cd857ad7101a
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1177825
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-17 03:10:44 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqlmmfxz2v7su4plj7mqljvb27dt4shqeqeydvdxcnvtyrek5ksa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05238efd964125503399743df334ea2ae9bdc4871c2ae1537b49874c6976f951
AgentTesla
30940d9b877543d2ccfc9a1b800a2459d0acb9b832a10766ba27692d70c9fc20
AgentTesla
3191fe463f8c9a91ccf9ed9a81daef803f9c184fcb093b24ffafa1f2f318eb64
AgentTesla
4adcc8ef0f0f441cf8e44f0c3c446f620409dbf79353811fa4d6526c6752f6ae
AgentTesla
7ea54a151d7340d97ccc3d53dbf82900b2205f0df10b0571a12501ecaad5359d
AgentTesla
9cb9879c7e69ffbddc7996aa36c506ae6870c1226ec4ee6df8bdab7d50e89911
AgentTesla
ed1dd3f734ad29aaa1da6ada3823d8537704310f257e44524ea08d4c5f81ff3e
AgentTesla
f873aff34af07e0be6364498ef313f9e21454ba6fcab0a24c5da2a438de2770c
AgentTesla
fb50bb27d93d0f198dc7df0a806bf3e20e9f356f618d1c3d48d2fcbaa1726591
AgentTesla
+ 3'537 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230217-lzpbaaeg86/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
94d341df30a3c6ce139f083130367e95fe8013493eb24492d45112229a10bb0d
MD5 hash:
679b96b9c6239afa9e77857541699ee5
SHA1 hash:
9460f7df2b036ab6be7eca0fb7b22aeeb76c033c
Link:
https://www.unpac.me/results/85cde52a-9367-4de2-8ee6-59beb5926f6c/
Parent samples :
720be830d608d17de8f83bde1fd7a90db5bd75ebad8fbe10d60ea4bd1fa9f760
1e78015efee2b6e94749afd35ae539a88520ff959e06ca20683c6d0d7218b4c2
22c4b05bcf26647a2464500666ec31c235599a73765d4cd3452721eb2cf2b020
0b4d7a81cb8f89e34562cd756540d3dd62176c0fa829d7dba9db2c727b92aef0
b017455b50865cfdd26486b8c6d8348294ee6fba27ea97eb2d94e6a56b7397b5
edc2598baa07918d489c7642acc5d1051506ca818323627769d3b4d6f218eacb
SH256 hash:
62fe76e428ce5f05c147abae70cbcf92fd5ed9a452a577bce4a67622157ac1cb
MD5 hash:
b263310c1dfe5f2e5f9bdc12c28a95a2
SHA1 hash:
18a2aadeb9d57bb9678046169907c7a176778d42
Link:
https://www.unpac.me/results/85cde52a-9367-4de2-8ee6-59beb5926f6c/
SH256 hash:
b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4
MD5 hash:
35b02f4fb30db82436b28b952fb3b8d1
SHA1 hash:
d0a860f242a6fe8a52490eca7bc3c886eec73c39
Link:
https://www.unpac.me/results/85cde52a-9367-4de2-8ee6-59beb5926f6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 979e0d45ebb5200e404716fafe0dadf27aa4801c7d99b3bf4088fefa57745f5e

AgentTesla

Executable exe b416c616f9d57f2a71eb4fd905a6a1d7c73e48f0240981d477136b3c448aeaa4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 979e0d45ebb5200e404716fafe0dadf27aa4801c7d99b3bf4088fefa57745f5e
Cape
Cape
https://www.capesandbox.com/analysis/367606/
  
Dropped by
MD5 9b7419d8b44f89375fb02dd084e21f06

Comments