MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae
SHA3-384 hash:	45f9844e5a2c0ded69d672f5f751418e90aade0a3008d2460049787f48814af8cb433fa3293c4c5ca90e9ccf3a86e438
SHA1 hash:	381c866736b6d610dc58e39886c8f028cada277f
MD5 hash:	df0c3648fd1f3d0dd277c1931e01f495
humanhash:	freddie-mockingbird-orange-mexico
File name:	df0c3648fd1f3d0dd277c1931e01f495.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	617'984 bytes
First seen:	2023-08-04 04:50:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:pqg/9ecfFmsfvvL/LtiWE6qj79AW4vC4vjz47i4oz93ILpG16:4kl3fvvL/yOW4PbZ4dG
Threatray	5'636 similar samples on MalwareBazaar
TLSH	T142D4233E3A7E867EDC4C07B42C798CC4432DDF8AFAD9FB194EC5248972A3A142135598
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	5ab9f8e4f8999ab8 (5 x Loki, 5 x AgentTesla, 3 x Formbook)
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
cp7nl.hyperhost.ua:587

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

df0c3648fd1f3d0dd277c1931e01f495.exe

Verdict:

Malicious activity

Analysis date:

2023-08-04 04:58:13 UTC

Tags:

agenttesla stealer

Link:

https://app.any.run/tasks/11f5f135-daf3-48b9-9cc2-8e4ad0764756

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/440232/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker comodo darkkomet packed

Link:

https://www.filescan.io/uploads/64cc83b7539838c2be523f31/reports/2cce4371-e56a-463e-bc15-4b1f32fa9268/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/400530fd-96ec-44c9-852b-e8626aed7982

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1285536

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2023-08-03 14:16:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 38 (63.16%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mlv5b2domdps6omuozsytty3opiu33e5njhwub5reddnhhwo6kxa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3a04516d71e6a24f0f20da46230239ca177e6c1d76cb887948344694e2a376a4

AgentTesla

4dd2b1081222991f76595cae95f0e3b47f56b2cef85177fee637a2534196dfc7

AgentTesla

4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04

AgentTesla

746d3f266a1d6c17fd484a741cad28bb0578e63d235abefb6f949b90a1108a96

AgentTesla

870fc4761da55ad6c3d881026048561e5b9538cf996dfd3661da3e066d2cbdb1

AgentTesla

ba698cd54cd138ebd1df234e780463070b9e108e980512fb33a857af1c3c6248

AgentTesla

e949856ccd8b9d36fb7c2322f2c09d2a969c0121c9b08361cf16dc08c316d3ad

AgentTesla

eb8e351b8fdaadf5429c19d052428ab81b91170406b937d0f3753e334a757fe3

AgentTesla

fb0533fddd270310cba6cd3a1cae5f23356a0a28cfdb85caf6dc0c41f8c19590

AgentTesla

+ 5'626 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/230804-fgtkdsaf7v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

429f3487e5b861e7d9699f3c888a5cce3c23ddcc8fc83de79aa770aed1a9cccb

MD5 hash:

13a0714fa14255e0c8f6284d0de61ba8

SHA1 hash:

e36d5928d93b385a39ebba3df7ff3e14b387c2fa

Link:

https://www.unpac.me/results/a84f56f6-5daf-4f46-b17e-e1e2597040dc/

SH256 hash:

49145ed861b412bc015ff0800969052756deea17d5c6285da8f5937c0efdad46

MD5 hash:

0ef5168d36eee9ca0bcefcd84b907b70

SHA1 hash:

b40debea28d99750fe9b6a2b7d243eb35549aed5

Link:

https://www.unpac.me/results/a84f56f6-5daf-4f46-b17e-e1e2597040dc/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/a84f56f6-5daf-4f46-b17e-e1e2597040dc/

SH256 hash:

fdb9f75c1598135dbb9cfcea7dfc7014422c11e7476ba735877fb491ba2d5f01

MD5 hash:

bd4db8c728fe6f226a840ff92c9d1162

SHA1 hash:

93d53955e43eb5d14ba1fa16cea07eb8139492c1

Detections:

AgentTesla

Link:

https://www.unpac.me/results/a84f56f6-5daf-4f46-b17e-e1e2597040dc/

Parent samples :

4e8962c45fb4aa831a15ec2c5db19d6949c7426fa65ed3ed58ab794ad09e9f04
746d3f266a1d6c17fd484a741cad28bb0578e63d235abefb6f949b90a1108a96
870fc4761da55ad6c3d881026048561e5b9538cf996dfd3661da3e066d2cbdb1
62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae
0924aea0baf47725fc3231386ee24a1ca0f290a8a2fad119b2348a5e3273daf1
f7428bcecf7bcdf3d3fb1a8eca5b52e15fc8fd4c90077082c538c611d5b7f97d
57fb4bbec8340a3da56629716ef3716fa14a247aeef941bf37c052a815c1afc6

SH256 hash:

62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae

MD5 hash:

df0c3648fd1f3d0dd277c1931e01f495

SHA1 hash:

381c866736b6d610dc58e39886c8f028cada277f

Link:

https://www.unpac.me/results/a84f56f6-5daf-4f46-b17e-e1e2597040dc/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/62ebd0e86e60/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

exe 62ebd0e86e60df2f3994766589cf1b73d14dec9d6a4f6a07b120c6d39ecef2ae

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2695833/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/440232/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample