MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06
SHA3-384 hash: db2a4f203950a2ce2ac230b8283d7b2add9e1be7acbe1d78cd159ec9700bb3df5f2af69db2dde1e952451147f0afb8fc
SHA1 hash: 7c8b31dab8e1b1cc70503170fda57279159e2a1f
MD5 hash: 5b7b0e993f7f44ae724171af08bf1cae
humanhash: sixteen-march-purple-south
File name:5b7b0e993f7f44ae724171af08bf1cae.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:794'112 bytes
First seen:2020-10-19 11:03:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:3AGI/TFOcl7vfVtfJM2J6Hl8uloAEaX8nGluuxADYhiNMcLNAefcToIOqW6ADnF2:YfVbRJ6F0GXdcCYwWtFe+J
Threatray 673 similar samples on MalwareBazaar
TLSH 61F4932439AB500DF173AF79DEC471A2DA6BF762260AE46D2062C3060613B87DFDD539
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yussmed.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72928/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Launching a process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495335
Signature
Adds a directory exclusion to Windows Defender
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300129 Sample: n05Tpt4o9d.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 4 other signatures 2->45 7 n05Tpt4o9d.exe 1 4 2->7         started        11 newapp.exe 2->11         started        13 chlonx.exe 1 2->13         started        15 2 other processes 2->15 process3 file4 33 C:\Users\user\AppData\Roaming\...\chlonx.exe, PE32 7->33 dropped 35 C:\Users\user\...\chlonx.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\...\n05Tpt4o9d.exe.log, ASCII 7->37 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->53 55 Creates multiple autostart registry keys 7->55 57 Adds a directory exclusion to Windows Defender 7->57 17 n05Tpt4o9d.exe 2 5 7->17         started        21 powershell.exe 25 7->21         started        59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 63 Injects a PE file into a foreign processes 13->63 23 chlonx.exe 13->23         started        25 chlonx.exe 15->25         started        signatures5 process6 file7 29 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 17->29 dropped 31 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 17->31 dropped 47 Creates multiple autostart registry keys 17->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->49 27 conhost.exe 21->27         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 11:05:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ywq36ribtitbi6juhjzzxogdstcck5xup6c7xzzw4x7chp6pida._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ffeb38588c3b63f2ec6ce65f8296a6d3c4c0c43eb893486295f37ef0aeaa21e
AgentTesla
2aacadb62ad9f77d131d8d40390bbf4a6ef8d0f2635b38bacdb7ea438369c289
AgentTesla
3369bd562e36836afadcd90369d8a645c4731aff1f7c69221dfa377736b648f8
AgentTesla
3bbc420e96825537d8483d080f9918b4d8303aff054b1cd94126ff67fa0526b7
AgentTesla
40ad91b6933578e04f70c93df1390205dda69285cb0a08337296bccf03a01d40
AgentTesla
40eebe6e20f2fb031c89ef9fa83d485d03ebcd39b6699ab61fb0547bb0e09117
AgentTesla
5a6ff674194fd8f0b7221de0d402f383eec634054768bd2df0e7adc2fa825953
AgentTesla
814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869
AgentTesla
b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d
AgentTesla
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
AgentTesla
+ 663 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201019-zc9tencwvs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06
MD5 hash:
5b7b0e993f7f44ae724171af08bf1cae
SHA1 hash:
7c8b31dab8e1b1cc70503170fda57279159e2a1f
Link:
https://www.unpac.me/results/d2a2d85e-07e3-46dc-bf16-eab1b1d5a4ce/
SH256 hash:
668456db05e328d467057ac44752b3e6b838c10b84fed0b72eb070aa782b6f50
MD5 hash:
9117bd7705cdf780a51f110939338a68
SHA1 hash:
52edeecf071fcf5a87d09e71dffd2b48546c2435
Link:
https://www.unpac.me/results/d2a2d85e-07e3-46dc-bf16-eab1b1d5a4ce/
SH256 hash:
005cf40e679dd7bef911f20c5a8c0029614129bd7612fc2a1227d10756782ccd
MD5 hash:
d16c681c849d681a1dbf1471ce356d39
SHA1 hash:
b6ef4624a4b88f39608f589901a30cbefdd7e354
Link:
https://www.unpac.me/results/d2a2d85e-07e3-46dc-bf16-eab1b1d5a4ce/
SH256 hash:
746e9ba51e1cc567334f9bc8459a302435d932668940f98ecb56d20feb9e919a
MD5 hash:
e941768db4f6cb86290c0c5a2bf2051e
SHA1 hash:
c9f2177badaac0289f5a46c69ebfac109682b44c
Link:
https://www.unpac.me/results/d2a2d85e-07e3-46dc-bf16-eab1b1d5a4ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d62d0dfa280cd130a3c9a1d39cddc61ca6212bb7a3fc2fdf39b72ff11dfe7a06

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/460184/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72928/

Comments