MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b62c1823da94e2ddcac0eb6cfe707babe137a8fba773a4bef60130d553959e4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b62c1823da94e2ddcac0eb6cfe707babe137a8fba773a4bef60130d553959e4e
SHA3-384 hash: ab9e0990855141137495d23dcd6a50fef8add9a24fcd873e6c759baa7e5c9c9d92aae036c677cface9c205b85a391a9f
SHA1 hash: ebe20ebf01dc48383d858a3670618c5cc85743c3
MD5 hash: 5ca266f8c24963e0e9fc53a6f927c207
humanhash: spaghetti-stairway-football-alpha
File name:SecuriteInfo.com.Trojan.PackedNET.543.30997.30152
Download: download sample
Signature AgentTesla
Create hunting rule
File size:752'640 bytes
First seen:2021-02-17 16:09:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ceCeV/kqJnwwVh5RvoIUzzQhMyOq8LQD7ThPyWBTSDlEAWi98/EOLYh:cehV/kgP5Rw0hssDJPyOT8IirC
Threatray 2'694 similar samples on MalwareBazaar
TLSH A1F48C1762986F6BF0BD9776A471940087F0BC27E7A5DA9DBED070DB1470F40CAA2B42
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://tunedinblog.com/wp-includes/gdx.exe
Verdict:
No threats detected
Analysis date:
2021-02-17 13:33:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/648ea64b-2875-4b87-b118-17139a280511

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.543.30997.30152.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/610544
Signature
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b62c1823da94e2ddcac0eb6cfe707babe137a8fba773a4bef60130d553959e4e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 17:30:52 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wywbqi62strn3swa5nwp44d3vpqtpkh3u5z2jpxwaeynku4vtzha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d1c7e4441d356fd59afca292924b34f4b18867aca7d5892210f2d997753c190
AgentTesla
43dc584275e87192148542ab82f312d5c809444982536a6403898804a50c72a1
AgentTesla
5ae71498e3b1d2707c84bcd6f43566b8834f310dccafd64ef81e54cbe7ac4b01
AgentTesla
5d617282230f991221360f213e15b0e62d0c462afc3d32299c9b410658fbb106
AgentTesla
73c58bd017026340507d10cc2b3237c6c32835dc69571e81df1a5905981b3d63
AgentTesla
830b1a2dd4417c9bf6fec88dbb169de7709e247b1276a8bef4a6b14e0bd017e9
AgentTesla
91b00403de43b3c7d5f630b69934dcb1a9694c6a2cbea5eae599caa54405cf81
AgentTesla
b9f2863fa3e07c6c02defa3f19574f71118fcdbb37b1f4292088226319da3a78
AgentTesla
ebba3cbb31b33009b718185d391d43e4373a08aca718591c3af294ee34400ff7
AgentTesla
eedd733043ad7e9c4b0c380501ba8e72166aa85fa415734342dd889293814c0c
AgentTesla
+ 2'684 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210217-bkkcab2gre/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/506fde87-fe79-4ed7-a4aa-ddbffa99e8ea/
SH256 hash:
3111f940fd13993b12183dcfaab085154ed75aee49b142d6dfcaa51b520246b7
MD5 hash:
598bfa8aa6d679a1b6f362a3fbd89d48
SHA1 hash:
b80ec2016be8316204afdaf252e634afe5b1117f
Link:
https://www.unpac.me/results/506fde87-fe79-4ed7-a4aa-ddbffa99e8ea/
SH256 hash:
51cc06b597914e0aa45ea4cf4b77ef02938a48252ff67ec7f71e2f971801861a
MD5 hash:
c87fd21ad6d213ca78e8233f8af67bde
SHA1 hash:
fc8f8ead671b765774b3e77541a027790657cc5d
Link:
https://www.unpac.me/results/506fde87-fe79-4ed7-a4aa-ddbffa99e8ea/
SH256 hash:
b62c1823da94e2ddcac0eb6cfe707babe137a8fba773a4bef60130d553959e4e
MD5 hash:
5ca266f8c24963e0e9fc53a6f927c207
SHA1 hash:
ebe20ebf01dc48383d858a3670618c5cc85743c3
Link:
https://www.unpac.me/results/506fde87-fe79-4ed7-a4aa-ddbffa99e8ea/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b62c1823da94e2ddcac0eb6cfe707babe137a8fba773a4bef60130d553959e4e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1015776/
  
Delivery method
Distributed via web download

Comments