MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300
SHA3-384 hash:	ced5294cd085be36766907edce05385dee510ad02d401d2aaffc160d4703bbe2387e2c58f6bba637cf229b081070784c
SHA1 hash:	6adfaf4900044eb2c76ded18894e6fe64796195f
MD5 hash:	564bf457bb3105ba0937610ea23223af
humanhash:	kansas-river-lamp-muppet
File name:	f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	686'592 bytes
First seen:	2025-07-07 14:25:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	12288:t+KUbuTuwPisxFTnFR9fELj8aTTndAa1M6U3jooNPxVbMiNgvmjms:tBUIuEisxTRBpYd0hcoNPxVb6I
Threatray	3'415 similar samples on MalwareBazaar
TLSH	T1F5E4128127D1EB22ECE447F02970D2B603769F8DA425D34F85EEECEFB5697892451382
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/12878/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686bd8f5c9eb974737676c87

Tags:

spawn shell virus lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Launching a service

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e9d6107-f4b8-4d7e-94c7-f1d5c88f830f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300/

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2025-06-19 13:27:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6fuwn3xg5i4ex36rmkllcxjhxbeufebiggyprpcs5lqld7qrsmaa._file

Verdict:

malicious

Label(s):

agenttesla

unc_loader_037

AgentTesla

a32812ea87167fe0a9275823f6c873984de4dc7ece43895f02a175826aeecdce

AgentTesla

aba4d6ba306deaf02c3122060facf7e11d19da806321ac993c42461d4e9edcd7

AgentTesla

b858cc21f6276c7518a9c7f1fc92d2ae8f432ace4359744dbcf92e0ddeffa3ed

AgentTesla

cbaf21eca02826ae4c3a6b7e4771a0d35b95e68faca9da32ba9dc0206e6ad174

AgentTesla

cfe3100ff8dfe286be11b889ec8ca0a14211d56651469114ee5f440d8ff3e5a6

AgentTesla

e9faca7e44847bde376839999ff7491a3ffb0409f47e170560a64fa878ebdb55

AgentTesla

fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa

AgentTesla

+ 3'405 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250707-rrj99aek2v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3ebf2a0f-5ef8-4c0c-94ec-1981370c2647

Unpacked files

SH256 hash:

f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300

MD5 hash:

564bf457bb3105ba0937610ea23223af

SHA1 hash:

6adfaf4900044eb2c76ded18894e6fe64796195f

Link:

https://www.unpac.me/results/c1f5a1b5-4616-4261-9916-867eaf908162/

SH256 hash:

b11b229ad65a15b85359bb6bd7015fb00977da699ad431aeb6be874702d78cfe

MD5 hash:

fd1d81621edef0b10bba0ef0dfc197cb

SHA1 hash:

01cab3e27e6c756c020fa6ca459fac8a6a3eca0b

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/c1f5a1b5-4616-4261-9916-867eaf908162/

SH256 hash:

c6a9e8939b97df23e9142f26eda39393c3d22062fe70737fa51584700a2ab2fc

MD5 hash:

94fbc81cd5ffc1d77f1e9fecc73d04f4

SHA1 hash:

08f60b5309fdb9180a4e7db0da05e363fc42d132

Link:

https://www.unpac.me/results/c1f5a1b5-4616-4261-9916-867eaf908162/

SH256 hash:

35ddf752787b35e35bc54c66274381d4f7ab1648b5b5ff19b84cc9aa2e9ebf1b

MD5 hash:

b8865e349bb383f87b789f28c7d332cb

SHA1 hash:

f0d2894044ab5dcf13b36d758636ad3bc7b39261

Detections:

win_agent_tesla_g2

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

MALWARE_Win_AgentTeslaV2

Link:

https://www.unpac.me/results/c1f5a1b5-4616-4261-9916-867eaf908162/

Parent samples :

1ba351935a470a495569067be498955431c8e699c03784f058ac26e0ff4c0836
e80896f3ce016957ff20d7b18f546daaead13afd31d7c8c8f94d4039b01db118
f16966eee6ea384befd16296b15d27b84942902831b0f8bc52eae0b1fe119300
9c6a17b9f0909eb2b0feebbf337d3bd8d543a7e8c9344242382bf814b6fb614d
b2d5d9d3c3bfdca561730af8e3cedf26a7a8863e8ee2b7b2e0b5ea8a1aa19636

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Runtime_Broker_Variant_1 Create hunting rule
Author:	Sn0wFr0$t
Description:	Detecting malicious Runtime Broker

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12878/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (Unrestricted:true)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample