MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684
SHA3-384 hash: 9a08a2c194ea6ae94ab4a12b4aa0ec7a6a701940189c85635a5985c52d936913796277df64749b32cb41bb4ec3cbd508
SHA1 hash: e9aaf7533a4a88feeb820ca0f2001def95987483
MD5 hash: 336375e930359420ca9be2882d881df5
humanhash: floor-snake-helium-black
File name:336375e930359420ca9be2882d881df5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:749'568 bytes
First seen:2023-06-10 10:28:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:I/PWR28Le0cY+Yg9fb9WshiQMJrJqxO61iUQTmJTCj15USGQ/5HDIi:IH+xL9Rk9ciMZmiUdlS5Bj9DI
Threatray 5'137 similar samples on MalwareBazaar
TLSH T175F4127C2BB7496FC8627FBD5E202EB5D1E81A45717BC6574FA7EE9CCC04A880D80291
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
336375e930359420ca9be2882d881df5.exe
Verdict:
Malicious activity
Analysis date:
2023-06-10 10:32:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c00c3e8-a417-47ff-b9dc-55d18c7274ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/397582/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67444893.5559.2611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/648450733d73a4d7170a0152/reports/dacaf155-b11e-4738-90cd-bcc5c6090f45/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e0a4632-98b1-4e74-8844-2919322d4811
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1252304
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-09 06:25:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ayqjd2g7zvcuda6ne6jw7r4oc4fi4ux5oiutehweb2isqjpce2ca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25300a6afdd9084a8ea11d4881387ab2545652380643603f8e5fb1da74d57486
AgentTesla
612f1a7e7ced6e8e9a9d9eff56da53c08c27c911068fc34d323fb4f05b895f91
AgentTesla
690bf56c513b3b1e8ef7eb1cabd0e7ae3caf33e6d4442264ec5b17c74b9c5d92
AgentTesla
8699f030698874a541a877ae7068bde48d11e74fd9a6c817d45885e1815e0dcd
AgentTesla
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51
AgentTesla
9f090c60579dab06ddcae55533aad49e67b857d77a7f39074105267870f0dca5
AgentTesla
a83423d3a684c1defbb7b445d0594e8074f803fbb4b170a3450e3879aa619886
AgentTesla
ab55ab33808d211473c343f235e8e8846feb5537461d4d32ce1ec065d8bfda28
AgentTesla
cec5cc9dfa8e64cd0bacc6aa6f7767729dec65d6a8d53184b887dc89a6a76884
AgentTesla
fc54140655e3660dc45f2582c9fa41f4f957b22f86375e7c3ca723d28004d8f2
AgentTesla
+ 5'127 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230610-mh85ssfe3w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/e8eae876-50a9-4092-97a2-726cfe1de61b/
SH256 hash:
cad9d5158bd4148003f9393e3b89ea98951360112337f191af3fc7ed9d9fac34
MD5 hash:
cebb2b71aadd6adf6c4b077193e0522b
SHA1 hash:
b705fe3184e6e0a48cf7e30dbe9d1bf317e83a45
Link:
https://www.unpac.me/results/e8eae876-50a9-4092-97a2-726cfe1de61b/
SH256 hash:
dce51b6e3ecb2e2b88862fa99d334db0a41efe8fcd091f401245134fd491a2f2
MD5 hash:
2e2c01b321eb13b54c1e7d7db3703b55
SHA1 hash:
b38d9b2bf4a69cd4f418c10d1686a8c12027c20c
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e8eae876-50a9-4092-97a2-726cfe1de61b/
Parent samples :
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51
cec5cc9dfa8e64cd0bacc6aa6f7767729dec65d6a8d53184b887dc89a6a76884
062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684
SH256 hash:
9773b38ab3b2b9956bebcab59ea68a1d66d4881d7ff6277699c4a19cbfe5b8c5
MD5 hash:
194c1ca5f8569a9da307ddb91ccb02b4
SHA1 hash:
6f9bd13b7dc40b433605e1ad6bbaeb343736fc9f
Link:
https://www.unpac.me/results/e8eae876-50a9-4092-97a2-726cfe1de61b/
SH256 hash:
1360c79fc24e1c05345023844a9f3af1e2281aea8409f57d1b7018b665a385ac
MD5 hash:
d28bfb45b54f56457ed0b90f09907349
SHA1 hash:
0823e3d8ba3ef37afd5bf206e3c3ac352f0f4fb6
Link:
https://www.unpac.me/results/e8eae876-50a9-4092-97a2-726cfe1de61b/
SH256 hash:
062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684
MD5 hash:
336375e930359420ca9be2882d881df5
SHA1 hash:
e9aaf7533a4a88feeb820ca0f2001def95987483
Link:
https://www.unpac.me/results/e8eae876-50a9-4092-97a2-726cfe1de61b/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/062091e8dfcd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 062091e8dfcd454183cd27936fc78e170a8e52fd7229321ec40e912825e22684

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2649779/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/397582/

Comments