MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63c0c93240c97ce6d561b76c6a05e1192256532c144b88512252affe04eaa8b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	63c0c93240c97ce6d561b76c6a05e1192256532c144b88512252affe04eaa8b2
SHA3-384 hash:	5310a1eb8883e2929cf5fe6d3ba316352a837017debdc9c578fa2adad8b970db8784e3b81817a30488968b4b2fc4424b
SHA1 hash:	fb11a49763debb13608d22b009b5ae8f07cd8d36
MD5 hash:	8163e7894ee5b67e073b94e83a801d49
humanhash:	football-wisconsin-mississippi-stream
File name:	PO #DS90442GHpdf.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	798'720 bytes
First seen:	2020-06-26 08:03:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:ACuwYpSaJ8B+V2DrCXoEv/Lo2DCtO3vHbR:gww8B+V2PCXh/c4CtO/H
Threatray	91 similar samples on MalwareBazaar
TLSH	FB059BC0FE9BC549C00A4AF5D85EC15C9A75EF09275ADE096649F34C1A72B1CCEC8AF2
Reporter	abuse_ch
Tags:	AgentTesla scr

abuse_ch

Malspam distributing AgentTesla:

HELO: slot0.sinnerbrinks.de
Sending IP: 89.32.41.129
From: LYON MBABE <rob@sinnerbrinks.de>
Subject: Purchase Order
Attachment: PO DS90442GHpdf.img (contains "PO #DS90442GHpdf.scr")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/14737/

Detection(s):

SecuriteInfo.com.Generic.mg.8163e7894ee5b67e.9785.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun with Startup directory

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63c0c93240c97ce6d561b76c6a05e1192256532c144b88512252affe04eaa8b2/

Threat name:

ByteCode-MSIL.Trojan.SchInject

Status:

Malicious

First seen:

2020-06-26 08:05:07 UTC

AV detection:

24 of 31 (77.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mpamsmsazf6onvlbw5wgubpbderfmuzmcrfyqujckkx74bhkvcza._file

Verdict:

unknown

Similar samples:

06bee58a2c778e9fe0110f856a5045d6369e81b131d834468d49390307e208e5

2f009da908cbeae355eeb069e1e2491879f34b8ae013dafcafb45c1211a67684

355c8b8775f6b728776e7fae1aae749b43475b0d6ee34d244bba666a434a4e70

38f27206d20394df8f033f932c9e00d6675150710201dd92af6d335b2d7810c8

430bbefe89bad382de0a7831e7afc238f397a930a235d208585fb2bfb0b950bc

442da40f9f56aec12a7115eaf8cda0c58c897d16a11b8d32dea37ff8ba143d16

5ab8a06136b60d9f632b0e6ab76ab36e8078668cff1e98ad2d5548ac2cbcd693

698bf99b93421f8c16cd7d6b397d9632211d25abac6194c674e2c8bc3fb07cab

cb087e66ace5b9c59745e8df39425afd295af390f430cef4415eb13e01c10758

cf62903c68cba144e7e336081e53e4cb8c0ac98249641f4d39d59424307c8297

+ 81 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200626-5pymtfxw66/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 6b871ec96892ffdf6042b60689d8abc902ced047f321621e3e9f625b74498949

exe 63c0c93240c97ce6d561b76c6a05e1192256532c144b88512252affe04eaa8b2

(this sample)

Dropped by

MD5 042f67eef3ef9172c0ff40198b850fa0

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/14737/

Dropped by

SHA256 6b871ec96892ffdf6042b60689d8abc902ced047f321621e3e9f625b74498949

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample