MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a
SHA3-384 hash: ed48faa3324841b17b8f5a0e4a5ae49c36fdc95de1053dfe0a8fce54df41988057ac55677c7a34b2004ac5edfec81737
SHA1 hash: 572298b21fe16b232b7ed4e4d61e63d76d7b9f32
MD5 hash: 245d6b66c3065f1233f1174c58321f0a
humanhash: low-item-grey-pizza
File name:Invoice # ISB-49677.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:729'600 bytes
First seen:2023-05-10 10:06:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:w0yJ9caZZfYZurfHnFoqceKkKhXWTxM/bPbwGroszMB+EWr7N6JH8KSpnr8ud:w5bbcurNo7NG0IYsWrganQud
Threatray 1'031 similar samples on MalwareBazaar
TLSH T174F4CF3E51DB5C22C7A6C7FF899879A40335B301BDFBE63E225D00C89D42BD0AA85957
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice # ISB-49677.gz.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 10:08:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9139114-07b4-4c42-9fac-d5bec30f0252

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388121/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645b6cc7d054a0b0ef848229/reports/67c6d9e4-f408-4458-b374-7a33410bba3e/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/556e3bed-5842-40f5-96d4-e3fb85b879af
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229916
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862898 Sample: Invoice_#_ISB-49677.gz.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 11 other signatures 2->55 7 Invoice_#_ISB-49677.gz.exe 7 2->7         started        11 XtALiel.exe 5 2->11         started        process3 file4 39 C:\Users\user\AppData\Roaming\XtALiel.exe, PE32 7->39 dropped 41 C:\Users\user\...\XtALiel.exe:Zone.Identifier, ASCII 7->41 dropped 43 C:\Users\user\AppData\Local\...\tmp40FA.tmp, XML 7->43 dropped 45 C:\Users\...\Invoice_#_ISB-49677.gz.exe.log, ASCII 7->45 dropped 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Adds a directory exclusion to Windows Defender 7->61 63 Injects a PE file into a foreign processes 7->63 13 Invoice_#_ISB-49677.gz.exe 15 7 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 20 7->19         started        21 schtasks.exe 1 7->21         started        65 Antivirus detection for dropped file 11->65 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 23 XtALiel.exe 11->23         started        25 schtasks.exe 11->25         started        27 XtALiel.exe 11->27         started        29 XtALiel.exe 11->29         started        signatures5 process6 dnsIp7 47 api.telegram.org 149.154.167.220, 443, 49695, 49696 TELEGRAMRU United Kingdom 13->47 31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->71 73 Tries to steal Mail credentials (via file / registry access) 23->73 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 37 conhost.exe 25->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a/
Threat name:
Win32.Trojan.RemLoader
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 03:49:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpymlu326w7mvbey7pltfia62ruisb6vikq5qx2ggqe5gpdvnm5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
AgentTesla
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
AgentTesla
2ce7d781b4110aea5d90e86a8798e44516a33724c212e4b6099cb4babb7090d0
AgentTesla
392ee3c9d47409b170b5e4d6f7eedf427bf1121be42b024a663340bed3025bd4
AgentTesla
3b0acc239747010ba9c56cf22b4ace536d82bf3748dfb14e8b977c07f8dc976d
AgentTesla
a3e624899642025593a5646ecff5cbdf946e5b13debcdf57aad589d4da03de3a
AgentTesla
a5ee311c1782356ae8fd1e5fc6f6a2cdde6dd79ebc5c80a02c36b3327ba3ac7d
AgentTesla
c0a209c7475d77aab35852ae9662365b1704fdac50b9f3d59daebdee13018942
AgentTesla
d46e1ec4fd88c836e0f27060808c2506e0df5d1034f9c88e56dd37bfc2113120
AgentTesla
e2e44650ba8303af8f989baa14c50855cd25249e664d3ef5039edbbd6f3ca32e
AgentTesla
+ 1'021 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230510-l5mpmsfd58/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5494052141:AAF2aO4sQ_tu4BOnk0pmxB995km7Mslduy0/
Unpacked files
SH256 hash:
18ec0013bfcd774d496fcc094e99b4c2fdc47c8b85fc2fda0337eaeade61682f
MD5 hash:
9923228b06a85a6a6c66227862fc41d0
SHA1 hash:
fc91442877c44e8a451723430f5188e245375940
Link:
https://www.unpac.me/results/d0db5945-4657-459b-8fef-41ce10035046/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/d0db5945-4657-459b-8fef-41ce10035046/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
db87ba8c80b086b0dffd13b67d42331e721a9a8e373c28b9f1b0cb8a8c18d90e
MD5 hash:
da28ff6e3bc7b3590eccf585dacdc686
SHA1 hash:
8a2dac85ce52ed3b5d05895e9d63ee40cb55ab07
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/d0db5945-4657-459b-8fef-41ce10035046/
Parent samples :
3a4a199fb9796ce914f2b483e367190289a0a7586650b22cda8e7ba631cb11c6
b02d91d801822490ae3fa7315323ba054cb72aee687579a81419b7f38925e653
a3e624899642025593a5646ecff5cbdf946e5b13debcdf57aad589d4da03de3a
d46e1ec4fd88c836e0f27060808c2506e0df5d1034f9c88e56dd37bfc2113120
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a
SH256 hash:
8a6ebb528b7d06d3a5b0335bc2acfbb85e2df840173ecfb00da9fec9fb1f9bbe
MD5 hash:
14b0638a8ad3a84e29851d40f1269f1a
SHA1 hash:
4bb9fb8648104106721c2143091776fd321209ee
Link:
https://www.unpac.me/results/d0db5945-4657-459b-8fef-41ce10035046/
SH256 hash:
5bf18333a936e0f430a0e52390060b2ea35d472bd88b1cf8299e6502e7365140
MD5 hash:
2bd1a8683a3c9993feab5f972368a5ae
SHA1 hash:
247eb4a1214e77f62e4746adae9cf31436257bdb
Link:
https://www.unpac.me/results/d0db5945-4657-459b-8fef-41ce10035046/
SH256 hash:
63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a
MD5 hash:
245d6b66c3065f1233f1174c58321f0a
SHA1 hash:
572298b21fe16b232b7ed4e4d61e63d76d7b9f32
Link:
https://www.unpac.me/results/d0db5945-4657-459b-8fef-41ce10035046/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/63f0c5d37af5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388121/

Comments