MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e
SHA3-384 hash: 312bf9ded7bcd66d3fca2fee41118adb7b96cbe6eba9b1875ac8f177796b87cbde628d5413d79116808e2837a4562822
SHA1 hash: 1759f1c5ebcf7bada5946b50d61ad1148e4f8f35
MD5 hash: 35733a06b97b589fc2fc03c9d17a32e7
humanhash: snake-utah-hawaii-beer
File name:IMG_17503_2168pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'847'296 bytes
First seen:2023-04-19 18:53:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:FwUp7VuMFwg1bRSGDLB1rCPKqgAoKALiy373dKBEP+orA6yQw7aBDe8VesL:1VuMF5r1IKQAOyRKp
Threatray 2'210 similar samples on MalwareBazaar
TLSH T1BF85C072028BBEDBD7BB0DB4D68715444C94ACFF1218E2A4F8CCA15A61B755CEE91CB0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon dcdc888898ac9cb8 (11 x AgentTesla, 1 x Loki, 1 x DarkCloud)
Reporter Anonymous
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f (2).exe
Verdict:
No threats detected
Analysis date:
2023-04-17 19:07:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9db3065-8f8d-4353-8590-0be5da16d9b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383544/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33479901.17476.22028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6440389426946732736fec7e/reports/1612966e-7e5c-4e55-9eed-f677f4d42d18/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb66d224-78dc-4d0b-b2b9-813a902f49ea
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217176
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Encrypted powershell cmdline option found
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850123 Sample: IMG_17503_2168pdf.exe Startdate: 19/04/2023 Architecture: WINDOWS Score: 100 61 Found malware configuration 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 3 other signatures 2->67 7 Zxebaqk.exe 2 2->7         started        10 IMG_17503_2168pdf.exe 1 5 2->10         started        13 Zxebaqk.exe 1 2->13         started        process3 file4 69 Antivirus detection for dropped file 7->69 71 Multi AV Scanner detection for dropped file 7->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->73 75 Machine Learning detection for dropped file 7->75 15 Zxebaqk.exe 7->15         started        19 powershell.exe 13 7->19         started        39 C:\Users\user\AppData\Roaming\...\Zxebaqk.exe, PE32 10->39 dropped 41 C:\Users\user\...\Zxebaqk.exe:Zone.Identifier, ASCII 10->41 dropped 43 C:\Users\user\...\IMG_17503_2168pdf.exe.log, ASCII 10->43 dropped 77 May check the online IP address of the machine 10->77 79 Encrypted powershell cmdline option found 10->79 81 Injects a PE file into a foreign processes 10->81 21 IMG_17503_2168pdf.exe 15 2 10->21         started        23 powershell.exe 16 10->23         started        25 IMG_17503_2168pdf.exe 10->25         started        27 Zxebaqk.exe 13->27         started        29 powershell.exe 13->29         started        31 Zxebaqk.exe 13->31         started        signatures5 process6 dnsIp7 45 api.ipify.org 15->45 33 conhost.exe 19->33         started        47 longyarh.shop 63.250.35.178, 49702, 49705, 49706 NAMECHEAP-NETUS United States 21->47 49 api4.ipify.org 64.185.227.155, 443, 49701, 49703 WEBNXUS United States 21->49 51 api.ipify.org 21->51 35 conhost.exe 23->35         started        53 api.ipify.org 27->53 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->55 57 Tries to steal Mail credentials (via file / registry access) 27->57 59 Tries to harvest and steal browser information (history, passwords, etc) 27->59 37 conhost.exe 29->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 14:15:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yx7g5v22gpgf5z2qeqqv44y4u4i66zyueuu22rjhkfqnh5dv4pa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09da622ef3e5d5a12d5b51075e06a1ed054ac21d37eadb07cd901366150895a7
AgentTesla
2272345c34a9a89b1bc3803e5904206aa662690621cd6efd210f92c94811c1de
AgentTesla
5d04253687696ebbf3c04459cdd8f9d3b8eb889477d70df89b24efeda069c701
AgentTesla
69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be
AgentTesla
851ba7c21f63f16e1803b4adb7259bf64c0809218f58821f45f758b6b9a7ecb3
AgentTesla
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
AgentTesla
f375bbb04fb38ff87c1112755329594198795e41c54b9629e04ba5c6e92a5dc4
AgentTesla
f9b3b368ead42e40cc95eec1086d998fef8248e47985c15c45458c6415ffdca1
AgentTesla
+ 2'200 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230419-xjnklaef5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e
MD5 hash:
35733a06b97b589fc2fc03c9d17a32e7
SHA1 hash:
1759f1c5ebcf7bada5946b50d61ad1148e4f8f35
Link:
https://www.unpac.me/results/d5b0f8f9-a5d0-49dd-9b5c-03d7afce7b0a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f62ff376bad1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f62ff376bad19e62f73a81210af398e5388f7b38a1294d6a293a8b069fa3af1e

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383544/

Comments