MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62625b630b5bbcb1052cb0034b60dcf702d96fec3fcfe5cb6154546a06b68634. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62625b630b5bbcb1052cb0034b60dcf702d96fec3fcfe5cb6154546a06b68634
SHA3-384 hash: 89c5b5307ef1ed579e6520fbb09b96c2e1542dd808ebad736011ed59079cc57d26b46b4ec04f7ec331ed3d873dfdd696
SHA1 hash: 3c35a4377f9df1274c0534e7edc3913ec1bb9d23
MD5 hash: 5a7b8751cffa191e8d28b916f9eff0d6
humanhash: ink-nevada-massachusetts-arkansas
File name:Zjmucwroot.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:115'712 bytes
First seen:2023-08-14 13:29:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:CWN+SkMZif230QS6B3KMF1vR9rKeDYYVsgxhxRf/OI9jdl5PAaZ/Sv93Q28FHE7:8GzpNR9rKeDYYVsgdRf/OuJfhAP8tE7
Threatray 5'568 similar samples on MalwareBazaar
TLSH T1D0B36B07B7298676F28107BAD6AB93049BB4E696B363D38F308E13551B037EC9D35247
TrID 53.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
12.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.5% (.SCR) Windows screen saver (13097/50/3)
7.6% (.EXE) Win64 Executable (generic) (10523/12/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Zjmucwroot.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 13:32:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a4d80301-7bb8-4ac7-858d-056b0cc93366

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442661/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/62625b630b5bbcb1052cb0034b60dcf702d96fec3fcfe5cb6154546a06b68634
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/08202ab2-47fb-4452-adcb-6a02239aae8e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290962
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1290962 Sample: Zjmucwroot.exe Startdate: 14/08/2023 Architecture: WINDOWS Score: 100 78 mail.absbldg.com 2->78 80 h12.hksx.com 2->80 92 Snort IDS alert for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 10 other signatures 2->98 10 Zjmucwroot.exe 16 6 2->10         started        15 Uvjcibslxfc.exe 14 4 2->15         started        17 Uvjcibslxfc.exe 2->17         started        signatures3 process4 dnsIp5 90 qu.ax 46.29.235.10, 443, 49717, 49732 EUROTELECOM-ASRU Russian Federation 10->90 76 C:\Users\user\AppData\...\Uvjcibslxfc.exe, PE32 10->76 dropped 120 Writes to foreign memory regions 10->120 122 Adds extensions / path to Windows Defender exclusion list 10->122 124 Injects a PE file into a foreign processes 10->124 19 MSBuild.exe 2 10->19         started        23 cmd.exe 1 10->23         started        25 cmd.exe 1 10->25         started        35 2 other processes 10->35 126 Antivirus detection for dropped file 15->126 128 Multi AV Scanner detection for dropped file 15->128 130 Machine Learning detection for dropped file 15->130 27 cmd.exe 15->27         started        29 cmd.exe 15->29         started        31 cmd.exe 15->31         started        33 cmd.exe 17->33         started        37 2 other processes 17->37 file6 signatures7 process8 dnsIp9 82 h12.hksx.com 202.181.239.232, 49731, 49743, 49744 HKCIX-AS-APHongKongCommercialInternetExchangeHK Hong Kong 19->82 84 mail.absbldg.com 19->84 100 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->100 102 Tries to steal Mail credentials (via file / registry access) 19->102 104 Tries to harvest and steal browser information (history, passwords, etc) 19->104 106 Uses ipconfig to lookup or modify the Windows network settings 23->106 108 Adds extensions / path to Windows Defender exclusion list 23->108 45 2 other processes 23->45 47 2 other processes 25->47 39 Uvjcibslxfc.exe 27->39         started        43 conhost.exe 27->43         started        49 2 other processes 29->49 51 2 other processes 31->51 53 2 other processes 33->53 110 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->110 55 2 other processes 35->55 57 4 other processes 37->57 signatures10 process11 dnsIp12 86 qu.ax 39->86 112 Writes to foreign memory regions 39->112 114 Adds extensions / path to Windows Defender exclusion list 39->114 116 Injects a PE file into a foreign processes 39->116 59 cmd.exe 39->59         started        62 cmd.exe 39->62         started        88 qu.ax 53->88 64 cmd.exe 53->64         started        signatures13 process14 signatures15 118 Adds extensions / path to Windows Defender exclusion list 59->118 66 conhost.exe 59->66         started        68 powershell.exe 59->68         started        70 conhost.exe 62->70         started        72 ipconfig.exe 62->72         started        74 conhost.exe 64->74         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62625b630b5bbcb1052cb0034b60dcf702d96fec3fcfe5cb6154546a06b68634/
Threat name:
ByteCode-MSIL.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 13:30:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjrfwyyllo6lcbjmwabuwyg464bns37mh7h6ls3bkrkgubvwqy2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
63cc9fdaa3819fc6a4433c35ca3f308ce20bc39e07940f07f461cff692bab7b6
AgentTesla
8015d0f83bd5b01a372675e35de2a1f181a696b8a9ab337adc9a8e873115637b
AgentTesla
95f55542b28bb67dca43e90777bd25700d3afea56b15581a8de5340d0b5dfc12
AgentTesla
974ca7ad435352579a6080a0437db8fb96a3cc0627799820cbe3aac2fd0a6a0f
AgentTesla
9aaf43bf1332584fef746b25cb8ce5d649476c0f2f9c97b2f1eb786846015d2f
AgentTesla
9bee15aa43bcdb1c361ba488354de254e7860b9f006ad7ce7602adc6d7667e62
AgentTesla
a334c6122bad0425124968bc3a443bf3a4ef2aabb1e865f03fee17122f0c6885
AgentTesla
b7ba35e9eab9d351fe253284cefe14b16cb8312d56c9f96a309b851e515d1090
AgentTesla
e24555189a0c9c86d7248ac09b8321551327c3d2896dff4c4ac4681c1dd63b10
AgentTesla
+ 5'558 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230814-qrtcgscc32/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
62625b630b5bbcb1052cb0034b60dcf702d96fec3fcfe5cb6154546a06b68634
MD5 hash:
5a7b8751cffa191e8d28b916f9eff0d6
SHA1 hash:
3c35a4377f9df1274c0534e7edc3913ec1bb9d23
Link:
https://www.unpac.me/results/b90e3956-8372-4e69-8d0b-53bae01d0e9b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62625b630b5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 62625b630b5bbcb1052cb0034b60dcf702d96fec3fcfe5cb6154546a06b68634

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/442661/

Comments