MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07
SHA3-384 hash: c7853caa3e8b90b56a3283ad653515c2a20fa9d1e5eef325a704aafdf0640399cb9bf3c848cca1f7c453ecf26fc8cadb
SHA1 hash: 97d87e3fc3b3f00bcb715e774757d2c0b93e3718
MD5 hash: 0deec6c79c47e3224feaaaa2e70aa8a0
humanhash: william-iowa-beryllium-cold
File name:file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'584 bytes
First seen:2024-05-21 03:41:44 UTC
Last seen:2024-05-21 04:28:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:NSlYifTvxAGLIMPqtBnOzZwO9z2rG6yO7VywIDylK728+HU55GUa4sq:3izWeIWAOdBh9g7Ez/FqU7
Threatray 592 similar samples on MalwareBazaar
TLSH T163E4231376ACD71FC6EE21B860806B560BB7DE62B51ACED01ED750C407F872365532AB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00b6bae8a8aad602 (11 x AgentTesla, 2 x NanoCore, 2 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07.exe
Verdict:
Malicious activity
Analysis date:
2024-05-21 04:03:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b8a51ca2-ddbb-4e5d-96c2-fbc13099e676

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.2620.4895.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Tags:
Banker Encryption Execution Network Swotter Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/664c1810eecf8de655e8e297/reports/54da9fd5-dc9f-4274-bf06-fadd0296f3dc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3cc3326-0f48-4c58-b075-20f2bc68e937
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444711
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444711 Sample: file.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 48 www.azureabyss.xyz 2->48 50 www.teddycorner.com 2->50 52 18 other IPs or domains 2->52 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 Sigma detected: Scheduled temp file as task from temp location 2->68 72 6 other signatures 2->72 10 file.exe 6 2->10         started        14 stGYNUr.exe 4 2->14         started        signatures3 70 Performs DNS queries to domains with low reputation 48->70 process4 file5 44 C:\Users\user\AppData\Roaming\stGYNUr.exe, PE32 10->44 dropped 46 C:\Users\user\AppData\Local\...\tmp9ED6.tmp, XML 10->46 dropped 82 Uses schtasks.exe or at.exe to add and modify task schedules 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 Injects a PE file into a foreign processes 10->86 16 file.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        88 Machine Learning detection for dropped file 14->88 23 schtasks.exe 1 14->23         started        25 stGYNUr.exe 14->25         started        signatures6 process7 signatures8 60 Maps a DLL or memory area into another process 16->60 27 AXAynXgBJYvdDOjROZCOIzFJnr.exe 16->27 injected 62 Loading BitLocker PowerShell Module 19->62 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        process9 dnsIp10 54 www.azureabyss.xyz 162.0.222.196, 58700, 58701, 58702 ACPCA Canada 27->54 56 parkingpage.namecheap.com 91.195.240.19, 58675, 58680, 58681 SEDO-ASDE Germany 27->56 58 7 other IPs or domains 27->58 90 Found direct / indirect Syscall (likely to bypass EDR) 27->90 39 upnpcont.exe 13 27->39         started        signatures11 process12 signatures13 74 Tries to steal Mail credentials (via file / registry access) 39->74 76 Tries to harvest and steal browser information (history, passwords, etc) 39->76 78 Modifies the context of a thread in another process (thread injection) 39->78 80 Maps a DLL or memory area into another process 39->80 42 firefox.exe 39->42         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2024-05-21 03:42:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyiemeilsiv35ae32atawck42vy2xqbxnmot64ll2eceagza5mdq._file
Verdict:
malicious
Similar samples:
3c4a62274eaf166916621a82f252b2dcdbde0fb6b477682943ef60128f0a82c3
AgentTesla
62c56a245bb931fb7c05745e678648a08d58b75b9f97550d5a663f6e89678395
AgentTesla
826d8202d71324a5d3b0b76f33e8633d791e0cd0e8d1130c03a612458f9d7d77
AgentTesla
ffd7d83a9e5fae75ed025a5e148013b4d3e7da5817bc715e4e0451a535d5e507
AgentTesla
+ 582 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240521-d9cfgagc69/
Behaviour
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bb46ac23-d09b-4842-ba77-c01c53689144
Unpacked files
SH256 hash:
6dd21aa05df2c2f9739737b3d5518ce0365edd109067062740199853aa812528
MD5 hash:
7bae64b0f17a2c117dd503a384661883
SHA1 hash:
c5004bf8636d7be070993497a3c832f005d959b3
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
Parent samples :
7aca6825bcc57d37bd12f4975818ef6fb846766a335c1fd5f79b154d4ea89842
be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07
0b348678902c0f9bf136572b4168cb697403ecb88c58151c5cbecf7cac9bcd7b
SH256 hash:
0d393d5ed1a5c007af71fbc637b19f363edec7354dceb519051161de96622337
MD5 hash:
f182d8e501cccf01ded3f97ba57194c8
SHA1 hash:
2b973d378263db2102240cf61ef241d61191683f
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
0b7dcc18b0ef39734a24ca5923b02df82c670d08365fe376f2ed4ff9fcbc6303
MD5 hash:
0441cc0dacc6d821252e66a156b1d9bd
SHA1 hash:
df46cc702950a53a5de7b804d2076ef03f8ac6b4
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
f540e8d603962027b3a1f8b86d035281bfbdd3a05a621ead255825bc2082632a
MD5 hash:
d172f59251b97b415b621d302e1be2b7
SHA1 hash:
b1534e603749c901b5ac185f20e281f6be7fa908
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
53d404515aa9dafe8d69ae13b5ec9432fdb3643a8b34d8b54ae6127dd150d3f4
MD5 hash:
68efee4681e4ead7ba1004e0c76e6d62
SHA1 hash:
8dbc0b6fb68af105e5b277687c124a3ea2ff2a76
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
65fcdfa06c05ae0ba75d201568c60bf8e5567c494edec62a9eec5204dbcbff0c
MD5 hash:
05dea22d1b471b2d7bf2c9d03843e00e
SHA1 hash:
f4c9de7ea3648021917d9bb3a54641a46a69d8d0
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
f93645ccf36854035a85f57a8319ce7dc945a85b73b683acf81270141f1e1c16
MD5 hash:
f849c7ddc56ad92e55c6681663cb1ec8
SHA1 hash:
b5ae9e1e1eb9b8f51e4ff53e796a2d24b4082f93
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
03703e0faf4ccc35c4be82a00addc8d35fc1a3ce93a7378c83a8266560c298e2
MD5 hash:
0822b8737bed9a76d83caf5a1a22687d
SHA1 hash:
a17160ab7ea532906bc90fb80290175671cbec23
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
3ce5dfdd1e6ff89b0aefd22e7fd266aae3e8744a37aae9e93cb274a99493444a
MD5 hash:
288548a38df38b3dfe1136d21e4b4faa
SHA1 hash:
90450bb438c3e355a9a0ce160bb4d8cd0997b343
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
73a49931ef8be60c7d7ae086506d428c8a7367f781829ad510e8abc8dc24f0d3
MD5 hash:
a174d94eea90536e4cc19e0a0804e2be
SHA1 hash:
55e2b9947e44c2422c8e3a7d7d37c9ce29067947
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
1ecb643e7e4be3753a9f3a9fd29b81e13b6d979655f0eceaf78e6cf0512cb2ff
MD5 hash:
a95e2f1b8061ccf3796f726fd896563c
SHA1 hash:
177693055e78390ee4f52f0df521904d2245e6ea
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
SH256 hash:
be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07
MD5 hash:
0deec6c79c47e3224feaaaa2e70aa8a0
SHA1 hash:
97d87e3fc3b3f00bcb715e774757d2c0b93e3718
Link:
https://www.unpac.me/results/7006a052-368f-4e76-8892-d4bb49ba214a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be1046110b92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be1046110b922bbe809bd0260b095cd571abc0376b1d3f716bd104401b20eb07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments