MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64a50e1b33ace0e3faf26026566648f4b04d90cbfbc197a27330c0d690e3be8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64a50e1b33ace0e3faf26026566648f4b04d90cbfbc197a27330c0d690e3be8c
SHA3-384 hash: 8787762ef1d527b03283586f960ad622aea48d92e3cd1cc312437d0c52cfa9096e832f4cec43e6531b9aabaf4aa78aa4
SHA1 hash: 2e7d45ff57410f1d144e914a616ade276a244f5f
MD5 hash: d8eee8440dde12c5915cb7d7ea8c41e1
humanhash: fix-seven-oven-berlin
File name:obizx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:668'160 bytes
First seen:2021-09-02 17:04:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:ONUZhSb8FJLgGk9xKmcMnmkz5L9ZolspTBNUXymrkHKOn0juB2sDDxsttZKd:OeZhURr7Z9Zols8ymrkzaaDDTd
Threatray 9'385 similar samples on MalwareBazaar
TLSH T1C4E40B3E18FE23279176C7D5CBE18823F6D098AF3133A964A7D747264316A4675C322E
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
45467744456565.doc
Verdict:
Malicious activity
Analysis date:
2021-09-02 18:25:39 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/6f415f14-389a-4f1d-b914-2a862eb1d8dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184859/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.8195.11563.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab89e244-4e38-409a-968e-91260fd78c6b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844209
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64a50e1b33ace0e3faf26026566648f4b04d90cbfbc197a27330c0d690e3be8c/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 17:03:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mssq4gztvtqoh6xsmatfmzsi6sye3egl7pazpittgdannehdx2ga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3d73a3897420f1cc765c304ee3c40ad2c9e90fdc9305e7322455137f68837e4e
AgentTesla
4257668544f82471d6be72eca158de2d80011072ba2954b06fbae4ff6a71b4d2
AgentTesla
574013d909e0610f956065d80282b577881218d8294d223c74146e0391e9b11b
AgentTesla
689ddb0773860f65edd676e3d32207c1db0848a29db71fae865705a6666aafe6
AgentTesla
6b89423281b15d82bd2dabd24a68d7a1a7744c12ca2e951913f7361a271e34e5
AgentTesla
6ec21322ac55c170bba7bb85c122413b49f53a3f328791520d0f51b57e582ed4
AgentTesla
9233f9077f989e8431fe678c79173c9b5f04c6ff68660fb2405ef0b39f5303b7
AgentTesla
b5a2c6ad35eae14ca13d811a3a1a445fabee8a8aa63625f25520375a20fe44bd
AgentTesla
e32906edfa8d988075e6d062f5ea60f7550595eeef8f1d2177d387dc51f67a5c
AgentTesla
fdd78bbf6d05b69fbdcaa24727822f1ec7e9b652266ac34ed69916537e6aeff2
AgentTesla
+ 9'375 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210902-vlt42seacp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9df3ab68d825ce2e81f10d96bec272799d773ac1ab754df23c2fa4e681f91bc5
MD5 hash:
61c473fe3ec3ed1dd9d1e38fe2b6bcab
SHA1 hash:
e3ae496e828e7457217c24e2da29ddc079e3768e
Link:
https://www.unpac.me/results/37f78dcd-9950-47a3-9a8c-46a558c31a33/
SH256 hash:
9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99
MD5 hash:
db1ca79a10eb8debc020653b67a41ed4
SHA1 hash:
c9aff868749946879d85e0c75c11a085d3c244c2
Link:
https://www.unpac.me/results/37f78dcd-9950-47a3-9a8c-46a558c31a33/
SH256 hash:
59842bfbb8dcf0fbde0ed6e3e8afed8390349a363a8f1c74c18e8152067715ed
MD5 hash:
76434fcdc82f4b886a2d66e4f342dbcf
SHA1 hash:
79ed835fcda577521a33f090db72c81d6b54232d
Link:
https://www.unpac.me/results/37f78dcd-9950-47a3-9a8c-46a558c31a33/
SH256 hash:
64a50e1b33ace0e3faf26026566648f4b04d90cbfbc197a27330c0d690e3be8c
MD5 hash:
d8eee8440dde12c5915cb7d7ea8c41e1
SHA1 hash:
2e7d45ff57410f1d144e914a616ade276a244f5f
Link:
https://www.unpac.me/results/37f78dcd-9950-47a3-9a8c-46a558c31a33/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/64a50e1b33ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64a50e1b33ace0e3faf26026566648f4b04d90cbfbc197a27330c0d690e3be8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/184859/
  
URLhaus
https://urlhaus.abuse.ch/url/1586573/

Comments