MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54
SHA3-384 hash: e4c800ae0b27a5ef2b89e0ce4830530cd7762c9bd943e5c12737b6f44269f1bf7f84a97cec168873eac23b0b69246b9f
SHA1 hash: 2153e9b47a9be2e1075191e06018a7caec6a3e01
MD5 hash: 63b22a598a3265464805fc889cfd1dbc
humanhash: alpha-virginia-fifteen-uncle
File name:ACCEPT_014STSY529093.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:662'166 bytes
First seen:2023-08-16 13:02:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 429 x GuLoader)
ssdeep 6144:WYa6rHUPAE9LupuvAiybV2KD1vi9+C174Dck6S2Vq5h70kQ:WYFUPb9Lupu4iI3K9+Ci/6S20hq
Threatray 5'044 similar samples on MalwareBazaar
TLSH T17CE4DF386E938096D5FF07F2391992534FEEADED24B4C756223033391EB539D990A272
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0cc96e8cce8d4f0 (18 x SnakeKeylogger, 5 x Formbook, 5 x Loki)
Reporter malwarelabnet
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
ACCEPT_014STSY529093.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-08-16 13:08:43 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/db4bb82d-ad40-43a5-bf08-065dd6768446

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/443031/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Reading critical registry keys
Setting a keyboard event handler
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102976/overview
Behaviour
MalwareBazaar
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fd92d4c-911b-4796-867e-cd949868a998
Result
Threat name:
AgentTesla, NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1292126
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-08-16 01:43:15 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 24 (91.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyxpxeu3dadqchvo2tumkdjmtbypxnf7m6xsckv4u27baqzinzka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b27deefbf362687701891f8fcbacf4122ce0a6e4972bc7b68cc8f3e7034b1eb
AgentTesla
3f1d383f87ddadde53543ae6155ce7ef17b543aaa8af6b4953e26a64ae796ce8
AgentTesla
7db31265fd1ed9cc2d9c96e294b2caaddad57cd167a1f25d07fac7588e40e20a
AgentTesla
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
AgentTesla
8eaffa403a0bacae0e43928c07f77ea8540b480eda49e10d4a44079b8e0236fe
AgentTesla
8f81fd0cd66548518e82ab4238cf83a55989de7b1ab9099ef43892d0272b41e5
AgentTesla
a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56
AgentTesla
b017455b50865cfdd26486b8c6d8348294ee6fba27ea97eb2d94e6a56b7397b5
AgentTesla
e68187fa7d7293996751255a331a96cf766d07d45d835570403b8c1363a72d69
AgentTesla
+ 5'034 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230816-qacneacg6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6a029006f4e9749dd3abf22d7d856526b2fa823b92e91d9ca447b407fff41c4d
MD5 hash:
650d47b852060e6166669b6c1d8296ff
SHA1 hash:
a56e17b9a1daae65007d71b4d57fcc4d2e4189ad
Link:
https://www.unpac.me/results/49d95f7e-9f3d-454b-83b0-eb8696be900e/
SH256 hash:
27bad9afa99d50194eaa94d06316b25408418a2c641eebf1049a8bb99e27ae9f
MD5 hash:
e7025f66ae6430ac9467591d4e51ea9f
SHA1 hash:
6b8e588cddfe5f4e00e0f04ae6cbd94ccd540e30
Link:
https://www.unpac.me/results/49d95f7e-9f3d-454b-83b0-eb8696be900e/
SH256 hash:
92ada27bd1d8e976e85588d78e43d64e883669d99b5e6e871203dd3e928515b9
MD5 hash:
c7f2b8a7caf9a8178c9bfe2e24aba1a2
SHA1 hash:
548889de6a48824f6e6aa6ac73fa3cc5e1988aa3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/49d95f7e-9f3d-454b-83b0-eb8696be900e/
Parent samples :
c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54
ac69b48787302afa53641d88ea384c6aff213692d4ffdf9963144ae1dd8c44bd
SH256 hash:
c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54
MD5 hash:
63b22a598a3265464805fc889cfd1dbc
SHA1 hash:
2153e9b47a9be2e1075191e06018a7caec6a3e01
Link:
https://www.unpac.me/results/49d95f7e-9f3d-454b-83b0-eb8696be900e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c62efb929b18/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c62efb929b1807011eaed4e8c50d2c9870fbb4bf67af212abca6be1043286e54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/443031/

Comments