MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
SHA3-384 hash: 0d65ba70ce985168a8ec4a111d1410ca88079a9a5be0a25898131f4dd9d5a52f8d058622f9605fb81ec3372c67680857
SHA1 hash: bb11c4bba1de99384cad1141f9200419e9a36b6c
MD5 hash: 6b11fceff3109b5e53de5a51e11e3274
humanhash: grey-friend-don-kentucky
File name:Specification-Fabric81477.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:35'480 bytes
First seen:2021-06-21 15:26:11 UTC
Last seen:2021-06-21 15:58:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 768:ps8dVGSl0lksBY7FlSs914hT5jJMklhqS:pRPZl0lPCzjT4PjJV5
Threatray 6'251 similar samples on MalwareBazaar
TLSH 7DF2F7AB6051B514D6E308742CA1FC743B68A7319990D10EE072995CCF82BFB78ED9DE
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Specification-Fabric81477.scr
Verdict:
Malicious activity
Analysis date:
2021-06-21 15:29:18 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/0bbd5484-3e7f-4fe5-9de3-8a9cbcc8aff2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167326/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.19048.9917.31291.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/759e2afe-f6c6-4855-905e-ab5ff3efacd7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805428
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437839 Sample: Specification-Fabric81477.scr Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for domain / URL 2->73 75 Sigma detected: Powershell adding suspicious path to exclusion list 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 3 other signatures 2->79 7 Specification-Fabric81477.exe 24 21 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 13 other processes 2->16 process3 dnsIp4 69 apdocroto.gq 104.21.14.60, 49718, 49728, 49734 CLOUDFLARENETUS United States 7->69 47 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->47 dropped 49 C:\Users\...\w4G7Rtab6D89b9388f6Odg7cj.exe, PE32 7->49 dropped 51 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->51 dropped 63 4 other files (2 malicious) 7->63 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->81 83 Drops PE files to the startup folder 7->83 85 Creates an autostart registry key pointing to binary in C:\Windows 7->85 91 2 other signatures 7->91 18 w4G7Rtab6D89b9388f6Odg7cj.exe 7->18         started        21 8af3ddd5-ecd2-4012-95ab-8831174ae9db.exe 7->21         started        23 powershell.exe 5 7->23         started        31 8 other processes 7->31 53 92ad71a7-1773-4a32-b84f-3fc203643ead.exe, PE32 12->53 dropped 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->55 dropped 87 System process connects to network (likely due to code injection or exploit) 12->87 57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->57 dropped 71 127.0.0.1 unknown unknown 16->71 59 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->59 dropped 61 ef685c97-0381-4ebe-9951-4699afcd4c01.exe, PE32 16->61 dropped 89 Changes security center settings (notifications, updates, antivirus, firewall) 16->89 25 WerFault.exe 16->25         started        27 WerFault.exe 16->27         started        29 WerFault.exe 16->29         started        33 4 other processes 16->33 file5 signatures6 process7 dnsIp8 65 apdocroto.gq 18->65 67 192.168.2.1 unknown unknown 21->67 35 8af3ddd5-ecd2-4012-95ab-8831174ae9db.exe 21->35         started        37 conhost.exe 23->37         started        39 AdvancedRun.exe 31->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 5 other processes 31->45 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6/
Threat name:
ByteCode-MSIL.Downloader.Foold
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 09:48:22 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpghle7my5gxrm42izkz3jysiillww6a5hxnfv4zm4l4iyuhd2ta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
14f81ecd4986ab4802d00a55fce04c132c1c25a7146ac4e99026cc666f9c3c6c
AgentTesla
337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
517aa4a798cd785cae7bd9722bd79a0f85eadc7a3e9dbfa24440348df4ef7c7c
AgentTesla
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
AgentTesla
87178907c9c47a383a2a08a30481dbc5345b6c85c48142a855900d9840e6b6da
AgentTesla
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
AgentTesla
dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9
AgentTesla
+ 6'241 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210621-a1dhbmfkna/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
MD5 hash:
6b11fceff3109b5e53de5a51e11e3274
SHA1 hash:
bb11c4bba1de99384cad1141f9200419e9a36b6c
Link:
https://www.unpac.me/results/e64025ef-fd7b-464f-b43b-91a5ac77b89b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/167326/

Comments