MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b54609bea9a6af4f71daa41bfaeb75235f662d608480020257a9eba7255dd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	62b54609bea9a6af4f71daa41bfaeb75235f662d608480020257a9eba7255dd4
SHA3-384 hash:	7086dfde254aa1fa35a19a2cad0285ea196049fc692e176ca274fa6740cf81c037b5ffb4b8f3b34bb8a9ad9e4757348b
SHA1 hash:	b7aacc8139ee8c4d74b507c1435e0fb04d6a0a99
MD5 hash:	2b83697e842ccf54a72b2ca68f44947b
humanhash:	massachusetts-enemy-fruit-burger
File name:	BuXml0xOJlFXusF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	564'736 bytes
First seen:	2021-02-26 15:16:06 UTC
Last seen:	2021-02-26 16:54:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:rCrSTm/iQ+p9lWrgwIYrtVw9Zfjovnwj:a/A3Yr0nfk4
Threatray	2'874 similar samples on MalwareBazaar
TLSH	8BC4CF70378C9F46E73D97BD9060110063F1A903E762DBAF7DE510DE1DA2FA18266A87
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BuXml0xOJlFXusF.exe

Verdict:

Malicious activity

Analysis date:

2021-02-26 15:19:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4d78420a-d6d8-4865-9991-08d6f4a8d3e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/119437/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.17040.4426.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/619808

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/62b54609bea9a6af4f71daa41bfaeb75235f662d608480020257a9eba7255dd4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-26 15:15:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mk2umcn6vgtk6t3r3ksbx6xlourv6zrnmcciaaqck6u6xjzflxka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1d380dfada55e561b147894bc58c64b6d7f14e44cfd069df0d15dcb2533e4880

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3

AgentTesla

3ee4e620dd7cb6d8a6f604e5653a4f5cbf1258032ffc7d13ae9a415c672a5713

AgentTesla

61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d

AgentTesla

72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75

AgentTesla

b28a86d010b9e52bf00698dbef0d9daeaccc4c67ae772d83bead4541d2feed7b

AgentTesla

cbf9d4ef21092210f58ad0cbdd4753dbbf785387dd8f3001014672679196c65c

AgentTesla

d2433dbd7a76e652575d56f53a9ec74e403a66076351b0494ed74f5f2518af2c

AgentTesla

+ 2'864 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210226-s1jz6h84hs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

e624003658c4f8b349f567c82229fd15d1e63d3d20fe6f7b4388403038cd2a44

MD5 hash:

b6ce7c1d81b9271eab825ea63de154c3

SHA1 hash:

0e7b89555314f8908c1098b652c9bf50e5ecc27b

Link:

https://www.unpac.me/results/c761f6f2-91fb-40f8-a6d7-6f3b435d4042/

SH256 hash:

62b54609bea9a6af4f71daa41bfaeb75235f662d608480020257a9eba7255dd4

MD5 hash:

2b83697e842ccf54a72b2ca68f44947b

SHA1 hash:

b7aacc8139ee8c4d74b507c1435e0fb04d6a0a99

Link:

https://www.unpac.me/results/c761f6f2-91fb-40f8-a6d7-6f3b435d4042/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/119437/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample