MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
SHA3-384 hash: 4604d3f2a98196cd59cb3cac98f699e013fdee5eb14dcfe60887cd6dbbb8909949b26d302ea10c9af342b0b46f1fca14
SHA1 hash: cb3a219e00db7a34539d95f4702802db2950fa60
MD5 hash: c0524a25b19dbf5fb826c2218a152e7a
humanhash: mirror-illinois-cola-juliet
File name:Remittance Advice MEDU2464.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:891'392 bytes
First seen:2025-04-14 06:57:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:jtkilaay84PIJSq1QjpVzoH09XeaB3y8Im3YOeXm6o9rqTENwXTeVInGI55l:jhlaVwR1QTZ9RYDA9rqMVdI55
Threatray 456 similar samples on MalwareBazaar
TLSH T18C1501442359D816D5B71B781A33D2BC06B7AD98A935C3474ECEBCDF3B2BB0A19013A5
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 88c0e8ba62f49a97 (11 x Formbook, 3 x AgentTesla, 2 x SnakeKeylogger)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
526
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance Advice MEDU2464.exe
Verdict:
No threats detected
Analysis date:
2025-04-14 06:57:43 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/4c776bb8-590c-4520-a479-97ce860b29b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2117/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fcb923d6e7c3effad26acf
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67fcb2012d430c849e1794f1/reports/d1e4c589-c925-4647-9ff7-78aa0c027ab3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/38bc8b20-0b5f-49e7-abe1-035567610c71
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1664392
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-14 02:36:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4vrmklv6f254rc3ctg3llfsb7p2557ismve3mvcnysfu7ygidtq._file
Verdict:
malicious
Label(s):
captiveaaloader
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
7636a9a372ecbe65e84e5c16e626ab03929a0089d253d4dd391b915774dd67ef
AgentTesla
93cc34776484daa2fcc0392c3f98530d2c003e3d32dd90b977983a21c9ddd4e1
AgentTesla
b4391a76a1e786d93c45cb78576609d9f75ce63d9253edac9c66ef921b5a7de6
AgentTesla
b65fece07c855ade193a6b6ef01280298c587c2b1c4fd9a4959bbb3567155da9
AgentTesla
b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
AgentTesla
error
AgentTesla
+ 446 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250414-hrjjaasxdy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/037a5f2a-550a-4907-81f9-c57f8ebdc643
Unpacked files
SH256 hash:
b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
MD5 hash:
c0524a25b19dbf5fb826c2218a152e7a
SHA1 hash:
cb3a219e00db7a34539d95f4702802db2950fa60
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
SH256 hash:
6eb5f43964032a500d4f19bf9252f7a0e0edf1dfe69260715cafbbf906b07e91
MD5 hash:
362260945139e2e231f962b1565ac1fb
SHA1 hash:
1387ec9e8d4af1eb83bbc79873e90b22232e9eeb
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
Parent samples :
7636a9a372ecbe65e84e5c16e626ab03929a0089d253d4dd391b915774dd67ef
b65fece07c855ade193a6b6ef01280298c587c2b1c4fd9a4959bbb3567155da9
4656e43fe5addfaa6f568353d432f7ccfea23b8c64e0e10641716822e3a199fa
ec9e31d8392b7002e930927ee6f50dca9718ba2585753042f58b27af30f3a3fe
75cc511e47b0b99575b4611a7cdf39c8cf33fffe1432767730188687a2ee70ed
b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
357b3313f39b40d4b9acc1181d3eca642418b945e0b35cc0f3c436b9598fd8a5
SH256 hash:
1b97196ca78fca5aba8cc7cab90f797657250ddce9c0720c5bbaba50076f8d21
MD5 hash:
33567fbc23d41ca1f2c9e62f7049757b
SHA1 hash:
8e744e4fb20b8dc16b0cdf23f41040c8f9e502a1
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
SH256 hash:
4a8191600f0412bc586bf4fb23cb339319d9d776f9286c88bb95e36d6f2b76fe
MD5 hash:
68bc5504b8a5b85836ed560861c35cc0
SHA1 hash:
cb18ac2c98174810aef534f8c9534f16326cdad3
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
SH256 hash:
0393c17d9edb0ad7e6935660e8c33f49dbdf976a81812fb363ec00a0cb306c35
MD5 hash:
a952bcb5dc9fce436025fb46bbcb4026
SHA1 hash:
1f3fdcc68f24a16507416462d1db8f09779757a8
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
SH256 hash:
7954410e87b24debf14521b32850bac53f7924a45262bb8dc15d877c364c16cd
MD5 hash:
3ccbacab9a6b9a43781019e74291daa5
SHA1 hash:
2af48262743733232f5e7471f9f264e755b28e59
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
Parent samples :
7d5a65180b375a682fce901b2152bd786ab3acba473f2f12e5c9d861f6ec3989
b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7
cf5c68e26546d85bf7ab9d049df7da641929bdd77eb51bec61e354db25d27292
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/8ea7b5c5-4fdc-43f7-a6e1-df8988eaa8d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b72b162975f175de445b14cdb5acb20fdfaef7e8932a4db2a26e245a7f0640e7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/2117/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments