MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806
SHA3-384 hash:	e7460df55196a6e6937615e6affdce3a42e559ec6080bf37436d47d444c84e93febaa528246b2caf3c90b889904ad008
SHA1 hash:	a37d125ebe7641fd00addf211083cafe08335f06
MD5 hash:	e47210accd809054f50bb4f1c765004e
humanhash:	north-cold-summer-floor
File name:	GIB.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	466'432 bytes
First seen:	2023-03-28 13:35:18 UTC
Last seen:	2023-03-28 20:32:12 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:ZjXTfWDjZOeitDtLlP547QTbIbjGV3u3Cj3YE2:J7WfZOfllIbjIeScD
Threatray	1'242 similar samples on MalwareBazaar
TLSH	T184A4120057AC1215E62F15B5AB72E32283B0F6023A60E75D0D1E35A56DAFFE04B71BF2
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

GIB.exe

Verdict:

Malicious activity

Analysis date:

2023-03-28 13:37:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1673aff9-2c4b-4f1e-a1ce-a3cb980bb804

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378177/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.11346.5549.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6422ed43f7dd2dc86f479258/reports/e8ae255f-18a0-4099-9845-81bbe6a3409a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d5ed1599-fe6f-45d0-9262-a797bd545bc5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1203663

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806/

Threat name:

ByteCode-MSIL.Trojan.Pwsx

Status:

Malicious

First seen:

2023-03-28 13:33:51 UTC

File Type:

PE+ (.Net Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iplgcaqjnmlr26ivqlhevv4idrujizmuvep2tretd2p2423q5ada._file

Verdict:

malicious

AgentTesla

41955ff332c22ffa3c2014f4bdffc2db6b5ae75d8289df443929a507dca525cd

AgentTesla

4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36

AgentTesla

66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a

AgentTesla

67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8

AgentTesla

bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268

AgentTesla

bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48

AgentTesla

bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055

AgentTesla

e2dbdd45e11e2b7e32caef9e2f4365d05e63eaf13724bea2ed842a503adb802f

AgentTesla

fbfa8f32f35e7925f320978a55f28df0c6214cefd8a93fa02a0c1d946d100715

AgentTesla

+ 1'232 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230328-qv8lksbc77/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/

Unpacked files

SH256 hash:

43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806

MD5 hash:

e47210accd809054f50bb4f1c765004e

SHA1 hash:

a37d125ebe7641fd00addf211083cafe08335f06

Link:

https://www.unpac.me/results/6e320d4a-6ab4-45e9-bcad-e40383ea2655/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/43d66102096b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/378177/

URLhaus

https://urlhaus.abuse.ch/url/2589171/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample