MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50
SHA3-384 hash: 0afe55948961f82417f1a0cfedf2f93600ed9f5a51c8e19e63f9aedb7edd190cf518cd6518220f3d312ab266ad18da23
SHA1 hash: bc28e1905621106085707866a88162c9a867a009
MD5 hash: b689c5cb896835c4a6a3bbe33129dd37
humanhash: florida-mars-ink-princess
File name:Remittance20036pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'672'640 bytes
First seen:2023-03-06 15:40:39 UTC
Last seen:2023-03-07 13:42:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:xBrXtw2Irak7ZoNNosz4TztSXXo5pl9YZq2v3ret511WKe++7PXf:X9qNm4T86MejWjTv
Threatray 375 similar samples on MalwareBazaar
TLSH T102C54A2439FA501AB173EFA98BE475EADA2FB7733B07645D1091038A4723A81DDC153E
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f6f9b5e6c486b3c9 (6 x Formbook, 6 x RemcosRAT, 4 x AgentTesla)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance20036pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 15:46:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f94e1d7-2651-496b-9d37-fde67cdfe0e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372068/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.26496.6878.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/640609960e8ce4beca25db5e/reports/76e0980b-ea38-437a-ad6a-8bef8f28f556/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74820c5e-756a-40d0-9e84-2fb70ef85e5b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187920
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820794 Sample: Remittance20036pdf.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 2 other signatures 2->45 7 Remittance20036pdf.exe 1 2->7         started        11 ckje.exe 3 2->11         started        13 ckje.exe 2 2->13         started        process3 file4 27 C:\Users\user\...\Remittance20036pdf.exe.log, CSV 7->27 dropped 57 Writes to foreign memory regions 7->57 59 Allocates memory in foreign processes 7->59 61 Injects a PE file into a foreign processes 7->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->63 15 RegAsm.exe 6 7->15         started        65 Antivirus detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 signatures5 process6 file7 29 C:\Users\user\AppData\...\Tcnmikbbfcbl.exe, PE32 15->29 dropped 31 C:\Users\user\AppData\Local\Temp\Faedr.exe, PE32 15->31 dropped 18 Faedr.exe 15 2 15->18         started        22 Tcnmikbbfcbl.exe 1 4 15->22         started        process8 dnsIp9 33 logxtai.shop 198.54.116.202, 49697, 587 NAMECHEAP-NETUS United States 18->33 35 api4.ipify.org 64.185.227.155, 443, 49696 WEBNXUS United States 18->35 37 2 other IPs or domains 18->37 47 Antivirus detection for dropped file 18->47 49 Multi AV Scanner detection for dropped file 18->49 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->51 55 5 other signatures 18->55 25 C:\Users\user\AppData\Roaming\...\ckje.exe, PE32 22->25 dropped 53 Machine Learning detection for dropped file 22->53 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 03:23:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mlbcdfsbqer35gxyvoofudlm5le3szvyvrocih5c6wp6mtz5x5ia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5c7ea36ba0644e026b9a8e6fbaaa4e88f8cc4be90f2ebe96ab041645c0b9bb51
AgentTesla
5d45948167c781bc6167406bf9b8f97f4fea8d976581c6c5130d9ee5a2b11831
AgentTesla
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
AgentTesla
841c1860b52b3817eed70e4d1f1bca972f0406e666bd8d034735fe70cc713831
AgentTesla
8b1d3c51ec4e9c3675e220f892b6d94b722d9fdbf4010d6c2f914fcc2bc4f36d
AgentTesla
c7554a7609cf9428545460211a203ed575173798679198a502fe847bff3cc044
AgentTesla
ca4033db02bded2739ca4e31c72910e4c5995f9437cda0c4767a8113166d84b6
AgentTesla
ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416
AgentTesla
+ 365 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230306-s4s9csdb32/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b3ef5358fd472fb815b25ae19c8bd2b5a8ae5c23d1663817f4d43f4c8ea434e9
MD5 hash:
657869ead2c78a0abe392aba22f694c4
SHA1 hash:
4bd473e6d292b4226438c25bd98b3990a59c5489
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
SH256 hash:
b6b5405c00b628a2e6dafe0c8afd15fcf457a8c8d6e785a849631ee11d749127
MD5 hash:
990b16f1a2f4678cf15336ab31faca67
SHA1 hash:
1e142206c3986ccb93442ce54998b8b4aeadef37
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
SH256 hash:
573ab63918fbd92d271c0d8d4afd0217001042bdbc4a11862f36b9615c558452
MD5 hash:
a037d46b9aab9367d01a654bbd67cf5d
SHA1 hash:
19c8a0d47ca3bb54c3702164901ad3769007ff4a
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
SH256 hash:
4345d15dcca24277c7d1f60d1583ae1d58d029c9aeaecc76b13c5daf07ce48a3
MD5 hash:
64cf6f9f2af4fdb442807392ad8a21c2
SHA1 hash:
2effb6251c48e02518b3f9a1b7aa78f99726dc6a
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
SH256 hash:
33eed90ee9d7f5e5dde26e930f424fc0a6a78b9f99a67837ef0be5a0b3945106
MD5 hash:
55a4b1839408ca24880d72641c323123
SHA1 hash:
02067283b2339edf44ca02794301b29eb529eb25
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
Parent samples :
33eed90ee9d7f5e5dde26e930f424fc0a6a78b9f99a67837ef0be5a0b3945106
4ce7a341e7f7fa0e25a3e138f2586b70af6e10d69b29c5ed0242876dca67267f
72608223bb6b1ef8d577f7302a5c63ada4976971ba0400fb0d01b296a0b2fba6
16122022e662164152159bdefa62d7024c6aace27213b34ef150fb90fbb539fb
4ae529ced4b3a4e8da8ffbe6146321e551d333c0aa13daf516f1eb4e43837665
SH256 hash:
d5bc4cedc73053b6063e7ffb8e248ca03d9caaa905acdbce52342737d538f76d
MD5 hash:
d5f0f0717342b1b4d971aa33d484b870
SHA1 hash:
5ac63195a56cab38627dacfd09887ba0abc12030
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
SH256 hash:
db2b8b08c54c6b656174338db933b8d544e1348d82d5269ab016be259dd99fa2
MD5 hash:
84f1cecf39e404717f2fce5dbe3904bf
SHA1 hash:
0d3dec1381cc9e1266a0bd1044a0714c267c807f
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
SH256 hash:
62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50
MD5 hash:
b689c5cb896835c4a6a3bbe33129dd37
SHA1 hash:
bc28e1905621106085707866a88162c9a867a009
Link:
https://www.unpac.me/results/4e347723-7041-4d77-96e5-7e652bac8e77/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/62c221964181/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372068/

Comments