MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a62ca7a7f152ec343b0b220af920f747703cf7c56afee735c6bff4992c4d2b6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a62ca7a7f152ec343b0b220af920f747703cf7c56afee735c6bff4992c4d2b6d
SHA3-384 hash: e55d81713b2b80c031832b7850b1ed8cbf69090c27e95162462d17711b0403a30ccca9caf9af9c169afff414620271b4
SHA1 hash: 39186667323c266177842312f72f12c255c5edd3
MD5 hash: 422546abb9d826f7275d09d824441870
humanhash: washington-kilo-east-diet
File name:FINAL DRAFT BL CHARTERING KUDOS SHIPPING RF090940.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:12'696'064 bytes
First seen:2023-09-27 12:25:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 591d824e195684d1c2a6d0c96941d711 (1 x AgentTesla)
ssdeep 24576:5UkROpAK7lqNzqijv41q+CuyBjFiwqX1rWXYXcixe0BRdfdlJxuRPam:qAO9hfi/+DyDini4c01HxrNm
Threatray 1 similar samples on MalwareBazaar
TLSH T177D68C04B2970DA7FD669534C5D9B2F192FC6C0B36F1528FCF148E852E226BD0EAA531
TrID 75.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
16.4% (.EXE) InstallShield setup (43053/19/16)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FINAL DRAFT BL CHARTERING KUDOS SHIPPING RF090940.zip
Verdict:
No threats detected
Analysis date:
2023-09-27 06:28:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e1e7c8c-c10c-4375-84db-a4d8dd5f0a03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451573/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Forced system process termination
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a window
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug explorer greyware lolbin masquerade overlay
Link:
https://www.filescan.io/uploads/65141f5c1edabd9982a0c417/reports/34ee5f1c-8ab0-492b-9dd3-26ddc8779cef/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a62ca7a7f152ec343b0b220af920f747703cf7c56afee735c6bff4992c4d2b6d
Result
Verdict:
MALICIOUS
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30ea3e78-d419-4128-84ae-d1eedd38a7c4
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1315234
Signature
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1315234 Sample: FINAL_DRAFT_BL_CHARTERING_K... Startdate: 27/09/2023 Architecture: WINDOWS Score: 100 31 api.telegram.org 2->31 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 4 other signatures 2->57 7 FINAL_DRAFT_BL_CHARTERING_KUDOS_SHIPPING_RF090940.exe 2->7         started        10 btCUxw.exe 2 2->10         started        12 btCUxw.exe 1 2->12         started        signatures3 process4 signatures5 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 63 Injects a PE file into a foreign processes 7->63 14 CasPol.exe 17 6 7->14         started        19 CasPol.exe 4 7->19         started        21 CasPol.exe 4 7->21         started        27 2 other processes 7->27 23 conhost.exe 10->23         started        25 conhost.exe 12->25         started        process6 dnsIp7 33 api4.ipify.org 64.185.227.156, 443, 49780 WEBNXUS United States 14->33 35 api.telegram.org 149.154.167.220, 443, 49781, 49807 TELEGRAMRU United Kingdom 14->35 37 api.ipify.org 14->37 29 C:\Users\user\AppData\Roaming\...\btCUxw.exe, PE32 14->29 dropped 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->39 41 Tries to steal Mail credentials (via file / registry access) 14->41 43 Tries to harvest and steal browser information (history, passwords, etc) 14->43 49 2 other signatures 14->49 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->45 47 May check the online IP address of the machine 19->47 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a62ca7a7f152ec343b0b220af920f747703cf7c56afee735c6bff4992c4d2b6d/
Threat name:
Win64.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 00:25:00 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uywkpj7rklwdioyleifpsihxi5ydz56fnl7oonogx72jslcnfnwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
94fe62a73491d0cc7121a87c8058e1c8b779e2ec061865cd461c77921a09966a
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230927-pl7ggsaf5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot6380692797:AAF5X4yzYxjxXRfkVUbXKscB5HDpJGCsUQw/
Unpacked files
SH256 hash:
a62ca7a7f152ec343b0b220af920f747703cf7c56afee735c6bff4992c4d2b6d
MD5 hash:
422546abb9d826f7275d09d824441870
SHA1 hash:
39186667323c266177842312f72f12c255c5edd3
Link:
https://www.unpac.me/results/fa1fa29e-5cec-4490-b93a-b6ede6221e76/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a62ca7a7f152/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a62ca7a7f152ec343b0b220af920f747703cf7c56afee735c6bff4992c4d2b6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/451573/

Comments