MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e84db608773bb4a8f9c328de74464ec5bb3862e1f1d12fc074cb292c0ea8da1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e84db608773bb4a8f9c328de74464ec5bb3862e1f1d12fc074cb292c0ea8da1
SHA3-384 hash: a1e9216828d47819d8384d189b681394a10b3b43aea7bb3e9f554c065df2f21663107986501f39ae341f29b8db3910ff
SHA1 hash: e17a1ac115ebe4530e48fc7b4f954bfc654827e3
MD5 hash: ff18c94e0d030d8d1562b76d71589be0
humanhash: indigo-may-paris-july
File name:Ovnemhfto.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:90'624 bytes
First seen:2023-05-16 10:14:37 UTC
Last seen:2023-05-16 10:45:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:y5PGyW/roDMxoBl5JG9vRx5hZGm85wZOYlmDRVOP/pa7zgD:ybW8DTudRHPZUR8PhaYD
Threatray 28 similar samples on MalwareBazaar
TLSH T1D793F8356B49CDF3E5A85A79EC4204F4B678AC16DB22F32B46403D5D2D773F8093129A
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0d0988ccca6d2e8 (9 x SnakeKeylogger, 3 x PureCrypter, 1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
249
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ovnemhfto.exe
Verdict:
Malicious activity
Analysis date:
2023-05-16 10:17:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/35a25589-5782-4621-b2a9-5f90445bd1f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390358/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware stealer
Link:
https://www.filescan.io/uploads/646357a970bf54db4a1aab1e/reports/8e146e7a-0428-4e0c-9289-654cf990647e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5e84db608773bb4a8f9c328de74464ec5bb3862e1f1d12fc074cb292c0ea8da1
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e2e7c326-d728-488c-aba1-e854fc340d56
Result
Threat name:
AgentTesla, Snake Keylogger, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1234347
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected MSILDownloaderGeneric
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e84db608773bb4a8f9c328de74464ec5bb3862e1f1d12fc074cb292c0ea8da1/
Threat name:
Win64.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-16 08:37:01 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
23
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2cnwyehoo5uvd44gkg6orde5rn3hbrod4orf7ahjszjfqhkrwqq._file
Verdict:
malicious
Similar samples:
018a3bc93803892ceb431a362450a0883b02c2e097865ce39d0d9bf1549cfcfd
AgentTesla
1c3e5e288a27425088c86cd526e006ecee211534a222b6ddd6ab4a2adb6c911d
AgentTesla
27f03bcd5cf9f3252316c1aea335f56dd9909c53832707b9f56033d1da98a0a1
AgentTesla
3fb7dd88a1460058b33845265a2a48629d1ff8bb2feca2d6be3163757d962991
AgentTesla
812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1
AgentTesla
99dd06782f7dd4caa754f0e27a3ef5068db0c634ec327a93dee8dc1b98ad18ca
AgentTesla
b4073b9936abd8f87ba521d74ecfed8e16ba3582bbf80a51da0da0c1982814ad
AgentTesla
b670bdb8ff34e41d99e9d799f80aa93fc51cf49085dd2ffd92586f4c32cb1514
AgentTesla
f98d9950348c01bc0f26399555ad77bf6b5793e4d3ded33e0473fe5c70806bf3
AgentTesla
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection
Link:
https://tria.ge/reports/230516-l98gxacc92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Unpacked files
SH256 hash:
5e84db608773bb4a8f9c328de74464ec5bb3862e1f1d12fc074cb292c0ea8da1
MD5 hash:
ff18c94e0d030d8d1562b76d71589be0
SHA1 hash:
e17a1ac115ebe4530e48fc7b4f954bfc654827e3
Link:
https://www.unpac.me/results/e621dbfc-2d7c-4da4-9aa0-19be1c9af10d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/390358/

Comments