MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
SHA3-384 hash: b8c77b10bb390e7e3f2714e9523878dcd6ad8999192481817ac71043de87dec6bda2802f372a55452f4144fa450b08fc
SHA1 hash: 5bf8dc2e057a079c2a2a2e2412dbe68790b1185c
MD5 hash: 18ff1162fef9d599bbcff7f4bc4a21e7
humanhash: massachusetts-twenty-oregon-london
File name:SecuriteInfo.com.Win32.PWSX-gen.31505.30455
Download: download sample
Signature AgentTesla
Create hunting rule
File size:783'360 bytes
First seen:2023-11-17 13:27:00 UTC
Last seen:2023-11-27 09:19:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:c8Ba/mFiTEJ0+0OR8FCkoJrP46F+GZUTh1nGck9suFBRGK+VgSOP2aEP44v:coPv+Ge3GckKgBD+beBEPn
Threatray 236 similar samples on MalwareBazaar
TLSH T182F4F53D1B9E1667FC79D6A7EFE0812BF061AAE3F2099D24D4D703569302942B0D427E
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0830b05959b9b004 (5 x AgentTesla, 1 x Formbook)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
358
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458951/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.31505.30455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65576a420122f58791fa82d9/reports/ec0f203b-c9b2-4e7e-beb4-1d24f419b8d9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e94d4d01-b15c-48bb-a36a-ce39bf847725
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1344115
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-17 13:28:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfqolhqwbu5qjgcdscf47mc4aazgujjkk5g6odjbe3o2vd2ivfra._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
22da6798edf7ecbc018e132ff61dff54b38704226c0f4693e8981b112e69eafc
AgentTesla
40203565c21de2f3923f1c4bb185068706f0bf56366cb099e6483737020b2ae3
AgentTesla
9761c8e02b65302ac53c1354d1b9c0ae5799523213d96e0b941df7699f0fa722
AgentTesla
b5081a6bb5cd550a99f314c6dd7e76cd217473ddfec2f65c1b5ec13a000680b7
AgentTesla
b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
AgentTesla
be9fa4bd2766fc5e1d06a60c8e9fffcdb6d0c7cded097234b573abf97a19cc41
AgentTesla
e0793d63666fd27dd0132db7bd77c06ed6fb2d9dd919aa774886e9732e5db57d
AgentTesla
e3b762b0f49f604badd73ea22cd90861766a1568211b461ce08f687ff9d22f6f
AgentTesla
f45cce1292aa30dc88decc03fe81e7c10a64e4302eb1e3faa81c385e36d2a1ff
AgentTesla
+ 226 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231117-qqbq2sag8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b6a9d2dfdc7f82a4b541c319f2baad6e386ea0a63c705337c6b6432292fbabe6
MD5 hash:
e1604a1ee6f8a70d13ef706f3bec6ed9
SHA1 hash:
0800f3582204bc4fe659f8f246bcb1382f2dda21
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
Parent samples :
b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
b02043d8ce3c56a13880b941a0fb79fbaf85c98c31281e3f7b0a61f3cb6f7ee7
SH256 hash:
abcdfd88809fde2b8fb86c4b7f50894ff01157d45abdf9840a3dc3adc9a5c6b8
MD5 hash:
848c3537038c9ed908dd11f2860a8ca1
SHA1 hash:
08fc35e67c9f52a008e3f9f452674f59bd2a82d8
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa
MD5 hash:
9561bc00330bfa400784c1b3b2075d0b
SHA1 hash:
b98f0014f428085dea5ea44108d64d9119e3d698
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
2bb44a1af36b1885756257b12268163e946532078b7476677fe97f188d57d1e5
MD5 hash:
3437f0b5f42c56b52dd321cf25606066
SHA1 hash:
2df3172a298abb70480ad60a3a5420a76037b073
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
14501b43bd49ce06e7a5e95e5a58718b624a658c03a751f47338b8bd4318bfb2
MD5 hash:
86d058b2afb94a3fc7793db581c52b90
SHA1 hash:
e9fe27e0029fc8e7acf2f6e3a5061ae2a2ef0707
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
fca7cc99f8d03115a21cda7c04ca8c773272431efdff10ed3afd4cb24a45f355
MD5 hash:
fd3c3b8e9730eca44769a54f202570d5
SHA1 hash:
b8210c3d871e7e6eecbb0398975020a254c96421
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
5d6fd86c4b88079e5201047cb8d42578f518c80e70b45f85f807327f2ea7d517
MD5 hash:
b6841229c8b5da12cbd923f808a6ef73
SHA1 hash:
6a2b8189e066dffe8c00561dd26b7cfce6fefac9
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
bae624dccbfb3ef8391dcd13e06e2dad35fa05ceb79bda149e0987e5442abcb6
MD5 hash:
c8db41f0d96b6e62b0f21d328725d8b4
SHA1 hash:
3b17e73c4361604a422df2a40077ae0a23876575
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
53261bc89410b867a345971bdd5dbbb8feb45cb1b2a8c4fb0e0552d195cab3ef
MD5 hash:
03c21cc03f6c72f5ab47b5455abd7a28
SHA1 hash:
0cdfaa94730a8ea00481bb2cbb04adf954acc4cc
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
2a6e8e2cc2c3e72d4b72dce97193fb65af487e684b1ab6ef11af3b0db9728995
MD5 hash:
5a325ff90dc64ef161722ee2fa5d4eb6
SHA1 hash:
055e6319058b2accf40ff809f8205acba73e78b9
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
SH256 hash:
b960e59e160d3b049843908bcfb05c00326a252a574de70d2126ddaa8f48a962
MD5 hash:
18ff1162fef9d599bbcff7f4bc4a21e7
SHA1 hash:
5bf8dc2e057a079c2a2a2e2412dbe68790b1185c
Link:
https://www.unpac.me/results/6894e1c5-5994-4ef3-8312-d7e356b236eb/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/458951/

Comments