MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf
SHA3-384 hash: a81913086ba8833e3aa6b3e108bc7ac80302f2ed8b2fe5fc085b36b05828247e77ea2875bbb7ba2bde0fb137fcfc4f98
SHA1 hash: 62003ae4955949cf1d95a9e863f50130201f6a87
MD5 hash: 9bbfc5ce78ce96999c76224e0868cc30
humanhash: bakerloo-crazy-nebraska-jupiter
File name:9bbfc5ce78ce96999c76224e0868cc30
Download: download sample
Signature AgentTesla
Create hunting rule
File size:606'720 bytes
First seen:2022-06-24 17:05:51 UTC
Last seen:2022-06-24 20:55:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:upkPRxliW1CCQo4EqMFaaRshhZe9miYMS8wOojpZz7QmnzI/8SyNkg:0kPRrhLHqUarLZQm6jiz7QmnzZSyNkg
Threatray 18'210 similar samples on MalwareBazaar
TLSH T1E6D4F1D4E2A84EABD882D3FC587CD514266BFB4A81ECD6057CFA70CA94B63D54093E07
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283129/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b5eefde88d6da4ffc2f9d9/reports/c21819a8-24ef-499e-9595-e7cb327fa81e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f44fd91-fa91-4d21-816f-997e712a7473
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1019496
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 651992 Sample: FKpGm30PfD Startdate: 24/06/2022 Architecture: WINDOWS Score: 100 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AgentTesla 2->35 37 6 other signatures 2->37 7 FKpGm30PfD.exe 3 2->7         started        process3 file4 21 C:\Users\user\AppData\...\FKpGm30PfD.exe.log, ASCII 7->21 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Performs DNS queries to domains with low reputation 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 11 FKpGm30PfD.exe 2 7->11         started        signatures5 process6 dnsIp7 25 resultboxx.xyz 185.244.36.213, 49743, 587 SPECTRAIPSpectraIPBVNL Netherlands 11->25 27 mail.resultboxx.xyz 11->27 29 192.168.2.1 unknown unknown 11->29 23 C:\Windows\System32\drivers\etc\hosts, ASCII 11->23 dropped 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file / registry access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 16 WerFault.exe 23 9 11->16         started        file8 signatures9 process10 file11 19 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->19 dropped
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-24 00:30:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wyu4d5qkorkzf3xgdsws67akzwp3jzmuuz6wy6xs3pc7v24hvo7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0cf8aeac532cc3971c258bdec24824d281268a2ae99263026c362c86ea1466c1
AgentTesla
55101b6d8abe8c2b24b8e7c8f83c6409cce3e1572d80fbb186d3271bb3d48037
AgentTesla
57a45cc2512f42b829e6d52fd76edb3f1e9d6b624b8a11ca767186a82d407bc0
AgentTesla
6f0cd7bc83d1a7d853e7d323f2888ba1979f5e4195cf3cb471bf6baaeb236fe8
AgentTesla
7db93b2a8d85934f23c15b78a321dc71dcac4cb146d9dbe8df3d22c5d91fdad1
AgentTesla
7f297b3a0108b6922377cf04123bf9d1b8c88fe0c2cacb32154adada625f860d
AgentTesla
8e69fabd7a9980914350fd776f5648f8f905835bebef17bbe5eda62bb3610cbc
AgentTesla
bb2501afef978abe94defdf1b67201f6dd8202e98dcb480b162f30ef0d2891e5
AgentTesla
+ 18'200 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/220624-vmdtfsgda2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
f01302726f68b9a9f4c666cbb436649ebf8fba50bbab72b532101fca61e0dd8e
MD5 hash:
650f71fb28b3788a1e5bf2a951544ac3
SHA1 hash:
b5d334b7666159e292abf8a0b6e20afaefbfa142
Link:
https://www.unpac.me/results/0e90fa52-5353-4291-aeeb-7dd4c317476d/
SH256 hash:
b101ad00ac4b5ae4cd4a23b461c398b2ac198c951df6a281b51109b8648a0c3a
MD5 hash:
489bcd0efdc8e6dcf09151dc20b2fd02
SHA1 hash:
a52e61d20d672f9795c0166a30413323fcd1969e
Link:
https://www.unpac.me/results/0e90fa52-5353-4291-aeeb-7dd4c317476d/
SH256 hash:
d997e2e16c17a759bd195e227176a825eac441673eb98a41cdc55bbed94232c3
MD5 hash:
1c37f8d50743496a87516300dcc360fa
SHA1 hash:
6d22508d60ee884ce29ed4dd8e80c6b9497b615c
Link:
https://www.unpac.me/results/0e90fa52-5353-4291-aeeb-7dd4c317476d/
SH256 hash:
87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d
MD5 hash:
9b17d560e68eff0da30f79b3c391c9a3
SHA1 hash:
5ceda263b1ea13401f652c709dd884d58945fe57
Link:
https://www.unpac.me/results/0e90fa52-5353-4291-aeeb-7dd4c317476d/
SH256 hash:
aca3f11d1e3a4b169aa72a0235c0c2ffdb3caf00072d3a130f33797f1dffb198
MD5 hash:
c0719cfe8ab38e6ea0af6e1dff1ae4b9
SHA1 hash:
006ea51759f7ac7cb9fae539bc44dbc9adb5478b
Link:
https://www.unpac.me/results/0e90fa52-5353-4291-aeeb-7dd4c317476d/
SH256 hash:
b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf
MD5 hash:
9bbfc5ce78ce96999c76224e0868cc30
SHA1 hash:
62003ae4955949cf1d95a9e863f50130201f6a87
Link:
https://www.unpac.me/results/0e90fa52-5353-4291-aeeb-7dd4c317476d/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b629c1f60a74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b629c1f60a745592eee61cad2f7c0acd9fb4e594a67d6c7af2dbc5faeb87abbf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2249091/
Cape
Cape
https://www.capesandbox.com/analysis/283129/

Comments


Avatar
zbet commented on 2022-06-24 17:06:01 UTC

url : hxxp://85.202.169.21/governorzx.exe