MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6
SHA3-384 hash: acebb4210dff491e9181f7fbae7ce8520b316517c085036e74fce9fa87a2740a1a30478e315d2fccab8d672ad9260f04
SHA1 hash: c33544c1f436191218274a8cb889ffcc4d6cf8c0
MD5 hash: b4de5fc46cd12ce94031974b006f4213
humanhash: edward-iowa-south-arkansas
File name:b4de5fc46cd12ce94031974b006f4213.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:724'480 bytes
First seen:2023-09-29 11:35:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:2c5AckjQeKF6ST1yTEoSA/RFt/5kSIW9AKKWjIy6+87jYy:dkEeM6CyTEPAzt/2SIQrLIy6zP
Threatray 6'455 similar samples on MalwareBazaar
TLSH T137F402026BC90181F5BA267989B5013247B77A62D939DF2C0DCC609D1FFB390BA51FA7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 229878f8b4f031c4 (24 x AgentTesla, 5 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file.doc
Verdict:
Malicious activity
Analysis date:
2023-09-29 10:11:02 UTC
Tags:
exploit cve-2017-11882 loader stealer agenttesla
Link:
https://app.any.run/tasks/c3c7d23f-bc7b-4f41-99f1-4ff8a8fb20a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451953/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6516b6a932ffdb7a7a18d2b7/reports/b66e9aeb-7b7f-4eb6-ba64-c021f53f702c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b1f7f2a-b87a-4b3e-b469-d9189221926b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316534
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-29 07:05:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
10 of 36 (27.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mowzjvhokdt63n6kees6usefhadivlgu2vzl4ix2cqfn34iwghta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
88080f19c9f055d11826bcde90abea78f3531317a840e7ddef759192615ca499
AgentTesla
95b4104ced9d11a7f6b53221793f7560f9161c163c5236a44ef0da3ad24093f6
AgentTesla
9b8d232557686b014c7d81422e07090548f11a2fa9750a7b8233286539b1a048
AgentTesla
e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea
AgentTesla
f2814d657629b6b1a63fc30ff8204741ad1ec2127f70752694735d938d427178
AgentTesla
ffd7fc226ac862e9c9a944e35a73a151e1399595030a3826482e15bc82b5af92
AgentTesla
+ 6'445 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230929-nqlvxaab8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
5ab11a933c95891b62f1ba94f38cdf01ded8f19061946601670c430d084dd007
MD5 hash:
24e1d07ed94115e19deac95b30c3af96
SHA1 hash:
bb6c15b4d1cbc2b3307a58af6d0c3d5ec6ce4e09
Link:
https://www.unpac.me/results/96d55ab1-e21d-4cbf-acb0-ab3be13093d0/
SH256 hash:
bc6e1487bee00a8fd2b639ee4e60867d7e409bd3cb6be1451f5ddbce26340766
MD5 hash:
fe233bfa89c7e26811c45fec198f7937
SHA1 hash:
6f0af0f155b841786f43b01e0c1c033aa277cdbd
Link:
https://www.unpac.me/results/96d55ab1-e21d-4cbf-acb0-ab3be13093d0/
SH256 hash:
afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce
MD5 hash:
6c00dff27e7b9281f4aa295b522b1e4d
SHA1 hash:
4ed317a0661c31766048fb6859f55c9646bb3534
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/96d55ab1-e21d-4cbf-acb0-ab3be13093d0/
Parent samples :
e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea
95b4104ced9d11a7f6b53221793f7560f9161c163c5236a44ef0da3ad24093f6
ab335b9636205ee0f2260e18b7c546b6a110015b3a1b759bac656f17ce9e93b2
f2814d657629b6b1a63fc30ff8204741ad1ec2127f70752694735d938d427178
9b8d232557686b014c7d81422e07090548f11a2fa9750a7b8233286539b1a048
ffd7fc226ac862e9c9a944e35a73a151e1399595030a3826482e15bc82b5af92
63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6
d3250ddf26bb9a71c94d06f22345e5ac30959195923ed5ca12db747e6ab1e65f
df239887fc79b6383173c139c8b15dc8279eb9a78e2f526646e45c14ff888b33
03446d8b365fd8c5488bac87d3bf769afa578a0280cd63e8736ab66f9d6c6f95
afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce
0c21fd40425fd9f22814fdd019b69dad64538d8e4a49a38cf0211301d053a2d5
d1164fe7652f2c5c800f0227383ebbd77157e84ff84d6713e4a8ea3ff7d47f86
dc60d2664af0f3881cc494e9295e0534293254f1023c22aed8159c3f85f08a4e
a563ab0cc303385af151163bb2fe3bb88d6681f865bad186db4019ac84c7270d
21218005d2b9dab517e80b87bf4b135e876a18f0d48cd77b29ca89332c615b92
a417da4eec41ccce59772248286ee9bfed2d781aec33db52829fac3d5beddc97
8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902
931f38d16e4369c01166d7dac9bbe0bc28af3228b6fca5d4f23e6f06f2f13333
7e352106b797fd772547c6d0cdd113c888a9170cbf648b81fa136263e8e435d2
SH256 hash:
4a771fd24995adcd21d2cd67dd54d6f5530ef1e9c27a195f5f1b5ee9c55eadee
MD5 hash:
b7743d6770c39c463951af5ec6f4b345
SHA1 hash:
21e436e8250392ecdcfe2a47af15d6e59e6df456
Link:
https://www.unpac.me/results/96d55ab1-e21d-4cbf-acb0-ab3be13093d0/
SH256 hash:
7ec118e70613ce2d9aee29cda2918ca710dde346c68d4da75c2ea0402e6d4391
MD5 hash:
1622a62bf6805b2dca82a8632eceac71
SHA1 hash:
071b72a5a1231149dfe4b9fcfa3a6ee49265ab7c
Link:
https://www.unpac.me/results/96d55ab1-e21d-4cbf-acb0-ab3be13093d0/
SH256 hash:
63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6
MD5 hash:
b4de5fc46cd12ce94031974b006f4213
SHA1 hash:
c33544c1f436191218274a8cb889ffcc4d6cf8c0
Link:
https://www.unpac.me/results/96d55ab1-e21d-4cbf-acb0-ab3be13093d0/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63ad94d4ee50/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710111/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2712475/
Cape
Cape
https://www.capesandbox.com/analysis/451953/

Comments