MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0
SHA3-384 hash: 69d1dde146442940a5d696ad15e488c20e779f411079d4f5af8cd3546b88078aa7572c4c1c659e518196e9dbfdc4f516
SHA1 hash: 8bbe7aa82a29c5c2c9c04c206022c5327e63b8be
MD5 hash: b85eeccf5c6ad6e5fd7dca4ffdaaf21e
humanhash: carbon-delaware-skylark-bacon
File name:Booking EBKG09538802.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:471'360 bytes
First seen:2023-09-05 08:30:45 UTC
Last seen:2023-09-05 13:54:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 12288:E0JI+8FhzTuCtWgZHYi9p/8/Qo6dU6Kx9+sOYhJOml:j83zTuKWgZ4i9t8/f6DKx9tN
Threatray 5'461 similar samples on MalwareBazaar
TLSH T131A42293DB71D2F7C4034AB03CB44A29FBB4D0C95175061B375C399BBE1AA869C8E25B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f0f0712bf0d4f0 (2 x AgentTesla, 1 x Formbook, 1 x GuLoader)
Reporter malwarelabnet
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-08-06T05:02:56Z
Valid to:2026-08-05T05:02:56Z
Serial number: 199ef1deb1dc46600449d1929a81a209d6198259
Thumbprint Algorithm:SHA256
Thumbprint: 30bc7e21d47e9435b238c8deb94a543dbb871d1ea59e3b447c1b82bb47e07cff
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Booking EBKG09538802.exe
Verdict:
Malicious activity
Analysis date:
2023-09-05 08:33:25 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/fc05e053-49ea-4273-8600-9b1c383af37c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446271/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Launching a process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64f6e74bb7dd6394f710fcd8/reports/b30d2c56-35bd-4bbf-aa09-0284e8238aca/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dde4017e-5ff0-4d9c-a7a3-9b29db1f5ba1
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1303371
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303371 Sample: Booking_EBKG09538802.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 96 28 Yara detected GuLoader 2->28 8 Booking_EBKG09538802.exe 2 20 2->8         started        process3 process4 10 powershell.exe 12 8->10         started        signatures5 38 Suspicious powershell command line found 10->38 40 Very long command line found 10->40 42 Found suspicious powershell code related to unpacking or dynamic code loading 10->42 13 powershell.exe 13 10->13         started        16 conhost.exe 10->16         started        process6 signatures7 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->44 46 Writes to foreign memory regions 13->46 48 Tries to detect Any.run 13->48 50 Maps a DLL or memory area into another process 13->50 18 CasPol.exe 15 10 13->18         started        process8 dnsIp9 22 api4.ipify.org 104.237.62.212, 443, 49733 WEBNXUS United States 18->22 24 googlehosted.l.googleusercontent.com 142.250.217.193, 443, 49732 GOOGLEUS United States 18->24 26 4 other IPs or domains 18->26 30 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->30 32 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->32 34 May check the online IP address of the machine 18->34 36 3 other signatures 18->36 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-09-05 03:59:38 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkhhjesjkigaexmtd5hhrrent7cfanrpmd3227jr6hsolcjhz6ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
081f11a29cbbc406d40f6444ce0f6befcb83ccdb4745711abb2c191774c5ef1a
AgentTesla
4e94a820c7fa2279e7fb0bb4b698770cc71dda27a008d2b04f72969cfed78f09
AgentTesla
7a545a28cacdf3ab2dfa605a626adebad10290b1c6980fbf157eb464dadf2011
AgentTesla
92e74208ffa87db6cd20a7f206479b302b837c9611e9cbe88ee6c67a1454c575
AgentTesla
9899334e8bd5a7a1131f9a32e9d50c5181487464b6bc5f791c8fba906610b9bc
AgentTesla
a2cdf452f83aa86c0f3ade321cfc00a9ed3671082372081a67cad84a26492051
AgentTesla
c494dceddfa1c8c6944a93f902c641ab5f99352ba48b81849e576f7da353314c
AgentTesla
d86e152d1a1ed576cf10f18573fc08868ec938fbb655d38d23aebddbfe1bb323
AgentTesla
dcea3ce074a9cc06d03641b052fe3a3f81abb72c480de228b8664dade74c4dce
AgentTesla
ec5be7c50c187de9346e381fe229eb22a3383dfd70bbac3568051af0ee25016c
AgentTesla
+ 5'451 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230905-kepwmseb91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks QEMU agent file
AgentTesla
Unpacked files
SH256 hash:
628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0
MD5 hash:
b85eeccf5c6ad6e5fd7dca4ffdaaf21e
SHA1 hash:
8bbe7aa82a29c5c2c9c04c206022c5327e63b8be
Link:
https://www.unpac.me/results/222f3194-b7ba-4176-8e23-983ddf23935a/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/628e74924952/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/628e749249520c025d931f4e78c48d9fc450362f60f7ad7d31f1e4e58927cfb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446271/

Comments