MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9
SHA3-384 hash: 6f802b80ea7aa411d6c8137a9a4a4e05252e0529e01454dfea29a8cc130d6751cc34cce6259cceebb870a8fe2b627cb6
SHA1 hash: ef7d250fbdbe77c78f1376586e225e6774b2ac00
MD5 hash: bb4c1097b9d7b68140bce654626eea8f
humanhash: north-ohio-papa-floor
File name:Qamu.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:656'896 bytes
First seen:2023-10-17 16:34:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:A3DJ92Ilv58FBW5WxHCmAKQFXRzaEk7biTWP3T4i:0/NvUYWxHv3Qv0biaF
Threatray 109 similar samples on MalwareBazaar
TLSH T1D3D42304AFFC078DEA6A5FF8085881D80775F6B239A4CF7A4CE831C98455B1B916376B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter smica83
Tags:AgentTesla exe FormBook HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Qamu.exe
Verdict:
Malicious activity
Analysis date:
2023-10-17 17:07:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd368266-af6d-4e45-a642-773660dc67e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455405/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/652eb7b7422e14c65a916510/reports/7f5664af-38f3-443e-b2a6-07922c3ca3ce/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/db42d041-4224-4057-86a4-70fa801dc3d1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
n/a
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1327442
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1327442 Sample: Qamu.exe Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 6 other signatures 2->58 9 Qamu.exe 7 2->9         started        13 HlbhBhWAJnjTyk.exe 5 2->13         started        process3 file4 48 C:\Users\user\AppData\...\HlbhBhWAJnjTyk.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\Local\...\tmpE4C7.tmp, XML 9->50 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 9->64 66 Adds a directory exclusion to Windows Defender 9->66 15 MSBuild.exe 9->15         started        18 powershell.exe 23 9->18         started        20 schtasks.exe 1 9->20         started        22 MSBuild.exe 9->22         started        68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 24 MSBuild.exe 13->24         started        26 schtasks.exe 1 13->26         started        signatures5 process6 signatures7 72 Maps a DLL or memory area into another process 15->72 74 Queues an APC in another process (thread injection) 15->74 28 sflhqpapvCxJZB.exe 15->28 injected 30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 sflhqpapvCxJZB.exe 24->34 injected 37 conhost.exe 26->37         started        process8 signatures9 39 rundll32.exe 28->39         started        60 Maps a DLL or memory area into another process 34->60 42 netsh.exe 34->42         started        process10 signatures11 62 Maps a DLL or memory area into another process 39->62 44 explorer.exe 35 1 39->44 injected 46 sflhqpapvCxJZB.exe 39->46 injected process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9/
Threat name:
ByteCode-MSIL.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 09:30:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
14 of 22 (63.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3ar64qzb7xhjf53g2v5u444e32w4byxx44fn4lflgzq5r77fhmq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0b97c43d0eb22c21c8c4be37b6b45a1fd2acc9aa8c2a30012a06c2a0fb23a1f2
AgentTesla
3668bfda289003db294d1a1cd542ae1779810daab317fbed4165c1b422f20c31
AgentTesla
4aab06d62b7be6864a2844428af16f335fee3713ef63ebf637540275f40ffd3e
AgentTesla
527bd1688c686cfb6d7fe4b85e2456a5a80c6995cb8ffc5aea8deae08877062d
AgentTesla
5ca6d298c6d1b95e2d810bf3906b55355416d88c05c17d4094f87924db898c7e
AgentTesla
93f4ba21d3b855e192770114d08d89c2d0b8d196c701827cd2a1df5ffc66af49
AgentTesla
9aecf5734ff36e456fd5a50650b083c1d521d36212c0a440ec6202fc00d14380
AgentTesla
dc8a077600f7e0fe27bd970f0d0aded18612f849e8e2fe53f8b69609a0b38fd9
AgentTesla
fec2fc59ff0deda9141200d10606ec0314a62f18a5b479e6438a13d8808d58ca
AgentTesla
fffc596389cada3bd1e1d1659029e607e14320cbdd126de7fdbe33b99f9c59d7
AgentTesla
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231017-t3ng6afd28/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Gathers network information
Modifies Internet Explorer settings
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
6e8b5627949c22a264a0a22352676f5e52faf36609b62f27e901acb3141a31ad
MD5 hash:
cbfd33043e2319e5402d5dfa9737b9a8
SHA1 hash:
f96fdc7bc3335ce6b3359114293539c151ed62fb
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
SH256 hash:
ec4f59024c89138e664ca64b46af6a88f68398b7285175890383ee22de0b2467
MD5 hash:
188a34a6c4246c56359c5d2a50a2774b
SHA1 hash:
2b70f0af307946d5a8638d365e671c03c19450e2
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
SH256 hash:
b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63
MD5 hash:
5c904da8528cfb1b87b15a6aa7c059cd
SHA1 hash:
f0a192969485d1bc34bf52adf37d9c20176d6b85
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
SH256 hash:
de59c3246c72163cfc5d3b5a8aec72ec6a585893a6c7d80fbff35238aabe6027
MD5 hash:
c3b2bcacf04baacd6daae4cf4896872c
SHA1 hash:
b7815d4d77ea49e493898d9ce06061e2c9c83feb
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
SH256 hash:
ed278807068709bcc74ef7d01ce46682b64d8ec9c8466dc8aaeb92ed75495aaa
MD5 hash:
51e85d063788811778e570139e28ac5a
SHA1 hash:
b3a9f24d4d25c91058e6c1f91e07219423b428fa
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
SH256 hash:
8c28d9e9c60196e8e043c3b5abd81955f0976f7505601e239466b06b4d9e2cda
MD5 hash:
aff7bfba75cf46e29ff39c46a17871f7
SHA1 hash:
24c2829d92ff520372c32acc6a9f4fa266605cf3
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
SH256 hash:
bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9
MD5 hash:
bb4c1097b9d7b68140bce654626eea8f
SHA1 hash:
ef7d250fbdbe77c78f1376586e225e6774b2ac00
Link:
https://www.unpac.me/results/ec8f3344-542a-4939-afa7-b7c742283fcb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bec11f72190f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bec11f72190fee7497bb36abda739c26f56e0717bf3856f16559b30ec7ff29d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455405/

Comments