MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63cdda46a08c3038d94c60c3dd0ac398eb2d5b56568870bd4128b835a41d7c4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	63cdda46a08c3038d94c60c3dd0ac398eb2d5b56568870bd4128b835a41d7c4d
SHA3-384 hash:	102aba3af69cda49ca9be57ff0a197c22584058e09aa8b7c83dd8b5616c15a531af25239f64f4849f8f01287ac8697af
SHA1 hash:	b794d6f5bb0232f7fc0963ed78ef7012d9ea7d86
MD5 hash:	b5fbf8ee3c25415a91dcf897ee20a98a
humanhash:	black-robert-table-juliet
File name:	GsxINR0t8iolBIA.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	731'136 bytes
First seen:	2022-06-06 07:46:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:FIlpkANyPAatCGgapqfc37HrEN1Go3FbojZzCi9fjzEOastQCg5:FUUCGgapqfcTrcmjtCQjAO1td+
Threatray	18'572 similar samples on MalwareBazaar
TLSH	T1AFF4F14E3509A18FC43B8D37A466EC70A7783E636E63F7077492368DD54F6C28A161A3
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	cocaman
Tags:	AgentTesla exe INVOICE

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

GsxINR0t8iolBIA.exe

Verdict:

Malicious activity

Analysis date:

2022-06-06 08:14:11 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/ba908510-779d-450f-acde-28fd40b12ebf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276907/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.49114654.23337.12339.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed remote.exe

Link:

https://www.filescan.io/uploads/629db108e22d00d5e1940cde/reports/3a21c4b1-db8c-44e9-80a6-700e1ecedd7d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/abd46c61-97a9-4a31-80ab-c7822129453c

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1007154

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63cdda46a08c3038d94c60c3dd0ac398eb2d5b56568870bd4128b835a41d7c4d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-05 21:53:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mpg5urvarqydrwkmmdb52cwdtdvs2w2wk2ehbpkbfc4dlja5prgq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

87126e672dcbafa6827503b7c2de467eda7f48367dba3db2fe4209f509c6cf6d

AgentTesla

b27c6b257151b39a26f528bf4511bae9b795493cb54cf2d31676ae586ee74e86

AgentTesla

bc0a1153681fd21f8ea15a81e41d256a7a10623554db56a74d2b244547248e7c

AgentTesla

f1a566ebee3c225b2683813ce31c30f6e7648c1dcdd03c991a2d2e99c11bc6d7

AgentTesla

+ 18'562 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220606-jmh8dsback/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot5380301623:AAEiiAoD9x5hD8Dpz7EhZFXpW2UQGzFYtzs/sendDocument

Unpacked files

SH256 hash:

4fca3db55ae7bc74e18e575e54a380ec3f2814d6cf3f9f671b7402b55d668bf5

MD5 hash:

c725c2954164f839078bec4fece6477d

SHA1 hash:

f64c1a3ac8d558816fb057ab8c1f93e6a1aac54a

Link:

https://www.unpac.me/results/c8437c70-88bf-4e60-a456-735c5cc2961e/

SH256 hash:

1505223826b948b132c6fd808b710c2c5e71151e26f26b3f0ee5cc0996fe869c

MD5 hash:

96e1ef2deb74766c98597b7fdec81009

SHA1 hash:

d51d3f4236a2b4ca608a68a8facf4efc858cf454

Link:

https://www.unpac.me/results/c8437c70-88bf-4e60-a456-735c5cc2961e/

SH256 hash:

8de02cb1520786169d7a540ad3b3a5c6f25369a7af8b0713631f526c47972945

MD5 hash:

cfe652ea3d79aac8401053f736800df9

SHA1 hash:

8bb61098d3d7d57746497f08352ed6ee35e00929

Link:

https://www.unpac.me/results/c8437c70-88bf-4e60-a456-735c5cc2961e/

SH256 hash:

879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504

MD5 hash:

30b6a54a992eae921a2eb8c5ea130911

SHA1 hash:

1c83f0319bffe007077c6656418c9b7344d5affe

Link:

https://www.unpac.me/results/c8437c70-88bf-4e60-a456-735c5cc2961e/

SH256 hash:

63cdda46a08c3038d94c60c3dd0ac398eb2d5b56568870bd4128b835a41d7c4d

MD5 hash:

b5fbf8ee3c25415a91dcf897ee20a98a

SHA1 hash:

b794d6f5bb0232f7fc0963ed78ef7012d9ea7d86

Link:

https://www.unpac.me/results/c8437c70-88bf-4e60-a456-735c5cc2961e/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/63cdda46a08c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/63cdda46a08c3038d94c60c3dd0ac398eb2d5b56568870bd4128b835a41d7c4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.