MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 7 File information Comments

SHA256 hash:	64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe
SHA3-384 hash:	b4173da8f090099f624febba3946190111b62ea9e9602edf123e47999ab3db97fe29199a22ed86011520543b01dd6b18
SHA1 hash:	6a139cef123143182bd32fb1717dbaf67fe3e48c
MD5 hash:	b8a82b5d1e9d7f3805b7560bd9dfb635
humanhash:	pizza-illinois-red-aspen
File name:	KwdRvSJrdtq9X5V.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	714'760 bytes
First seen:	2025-03-05 06:34:31 UTC
Last seen:	2025-03-05 07:33:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:T/fppm+gvyivMQ0cR9wEsQYxRwFEM0G0La7CR5WlFMeG5WBYU4tfAoHPUxkR:ehNR9w/RwFEFTwCRslGz5WCLhHV
Threatray	3'560 similar samples on MalwareBazaar
TLSH	T112E412ACA209E01BCA8627752B61F2B96A7C5CDDF801C3175FEDBDDBBE72A101C54142
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

458

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

KwdRvSJrdtq9X5V.exe

Verdict:

Malicious activity

Analysis date:

2025-03-05 06:47:44 UTC

Tags:

evasion stealer exfiltration smtp agenttesla

Link:

https://app.any.run/tasks/da1f027e-bede-471e-bdb6-d4e8f5772e6c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.20652.13960.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67c7f296c668b65489bf1475

Tags:

virus micro lien msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Labled as:

PasswordStealer.Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca760fda-7941-4c31-82ac-d2629a316cc4

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1629782

Signature

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe/

Threat name:

ByteCode-MSIL.Infostealer.Genie

Status:

Malicious

First seen:

2025-03-05 06:35:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mtfe3kzdb7lafmmopdoqfnfs7rhql4xyuktdnsulbqmffopjf67a._file

Verdict:

malicious

Label(s):

agenttesla

unc_loader_037

AgentTesla

65b7cf7ab546e94fad0cbce12c9756dcb2af4aa833943beffdfcc448e00e4449

AgentTesla

712b2ac1987715d8f00efee1564134d975790138d938cdd4dade04902db22b15

AgentTesla

71d16f11d609531f7a59f8b56013c1696e5b39dd4c9e6ca5ffbcec258032c58e

AgentTesla

error

AgentTesla

f4048c147a758eb5413a885a12c69fa5cd1b61668ae668942bcb7892e7f62584

AgentTesla

+ 3'550 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250305-hcgq5s1qt2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/0349b3ff-65fc-4f9e-b658-b1122959ce26

Unpacked files

SH256 hash:

64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe

MD5 hash:

b8a82b5d1e9d7f3805b7560bd9dfb635

SHA1 hash:

6a139cef123143182bd32fb1717dbaf67fe3e48c

Link:

https://www.unpac.me/results/a8d8d0ea-aefc-4fe6-aa25-d60d80c25746/

SH256 hash:

ab608bea68aa025f85a499a38b2ba7d1494401b2811b2516e729b6163f55e0a2

MD5 hash:

b3ddb9697f34c56d94f8b2b3d3b9f18b

SHA1 hash:

63a428a65722ce363f9d33b9acccfc890ac31289

Link:

https://www.unpac.me/results/a8d8d0ea-aefc-4fe6-aa25-d60d80c25746/

SH256 hash:

c5d3cd63dc64a4dcae62501ea162d1bbdbe69fa680a09eb6a20cd8dfdedabe0c

MD5 hash:

39282b6235ed024a94de88491a3abe02

SHA1 hash:

6d07033795deef573e7dd521c63a7469d936b859

Detections:

AgentTesla

win_agent_tesla_bytecodes_sep_2023

INDICATOR_EXE_Packed_GEN01

Link:

https://www.unpac.me/results/a8d8d0ea-aefc-4fe6-aa25-d60d80c25746/

Parent samples :

646456f832bf387fc22d1c5a26e2adb6473c19045994a54948c0dc07aca07022
646b946b30b9ab434115d2527ef526a6cda507a315b3ddfdce1f3fb6159f95aa
9a6f5e16552d185a6bf7d82cafe02a49a982066ab8035c175bcbd7d0ae0c550f
64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe
fec06de7d04144f3f7837f1af239e476d9d6bf5b77769240a7145d5d7abaa60d

SH256 hash:

a9621d45b91960b91cb2c8fae4e9a01072b531f2915dad64fef975b35f30ff44

MD5 hash:

1b7eeccb7a54b2952b4decccc78859dc

SHA1 hash:

d7f5d64be05e4332393923725ea8e863a70f88fb

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a8d8d0ea-aefc-4fe6-aa25-d60d80c25746/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/64ca4dab230f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/64ca4dab230fd602b18e78dd02b4b2fc4f05f2f8a2a636ca8b0c1852b9e92fbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample