MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 9 File information Comments

SHA256 hash:	8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902
SHA3-384 hash:	1e98573befe893efb66beea0a1eb69c58075ec05cc8778bd286bb170941266aa0f0b4872bdf076f9f27b8799b6003833
SHA1 hash:	2308987959856cd9245855688ef4779cf71251e7
MD5 hash:	07ff2e53678892b871dc14286df16edc
humanhash:	oscar-gee-friend-sad
File name:	obizx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	730'112 bytes
First seen:	2023-11-15 14:27:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:4JX4QtLaBlPDn3SfWXGYLfDjBXTmQx82XKm8Xkom9xaPPK7L0p:5PFjtTBxvamjom9xaEu
Threatray	1'981 similar samples on MalwareBazaar
TLSH	T137F4022733685823DA2E02F5D02650A417B1BE27B220E3DD5DA77BDD2BF2BD146016DB
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	003069cccc71b200 (7 x AgentTesla, 1 x Loki, 1 x Formbook)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

331

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://china.dhabigroup.top/_errorpages/obizx.exe

Verdict:

Malicious activity

Analysis date:

2023-11-15 11:58:09 UTC

Tags:

loader

Link:

https://app.any.run/tasks/7f5630bd-886d-481d-8eea-ba45d2097094

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/458734/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Reading critical registry keys

Setting a keyboard event handler

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6554d5ac8dc4c0f2230bc897/reports/88ef8463-6353-49a6-8a65-ac47b4b40034/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72c0dbb8-2060-42ae-9f74-314543454dc5

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1343048

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2023-11-14 14:56:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 37 (59.46%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qyzkntnm2pbmurgee7i6627kjkobnjyitiy7cl7htotoccegbeba._file

Verdict:

malicious

Label(s):

agenttesla_v4

agenttesla

AgentTesla

21218005d2b9dab517e80b87bf4b135e876a18f0d48cd77b29ca89332c615b92

AgentTesla

d1164fe7652f2c5c800f0227383ebbd77157e84ff84d6713e4a8ea3ff7d47f86

AgentTesla

d3250ddf26bb9a71c94d06f22345e5ac30959195923ed5ca12db747e6ab1e65f

AgentTesla

df239887fc79b6383173c139c8b15dc8279eb9a78e2f526646e45c14ff888b33

AgentTesla

+ 1'971 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231115-rsz24ace8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

1967425e0f443e5e08d4dc6e624470e9f42795e3aa57bce61c8ff3db976e0549

MD5 hash:

8d934e69bb126974993984cf0319ecf8

SHA1 hash:

fdece0bfe3f0ff5edcd5e27ea86c9581e30b35a1

Link:

https://www.unpac.me/results/e5ecb81f-3335-49d0-9438-4f046b8790d2/

SH256 hash:

76482f1dc9b0639dd6b2d762e09101875e207e8c60e146a43ca182a4c13d6afa

MD5 hash:

9561bc00330bfa400784c1b3b2075d0b

SHA1 hash:

b98f0014f428085dea5ea44108d64d9119e3d698

Link:

https://www.unpac.me/results/e5ecb81f-3335-49d0-9438-4f046b8790d2/

SH256 hash:

afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce

MD5 hash:

6c00dff27e7b9281f4aa295b522b1e4d

SHA1 hash:

4ed317a0661c31766048fb6859f55c9646bb3534

Detections:

AgentTesla

win_agent_tesla_bytecodes_sep_2023

Link:

https://www.unpac.me/results/e5ecb81f-3335-49d0-9438-4f046b8790d2/

Parent samples :

e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea
95b4104ced9d11a7f6b53221793f7560f9161c163c5236a44ef0da3ad24093f6
ab335b9636205ee0f2260e18b7c546b6a110015b3a1b759bac656f17ce9e93b2
f2814d657629b6b1a63fc30ff8204741ad1ec2127f70752694735d938d427178
9b8d232557686b014c7d81422e07090548f11a2fa9750a7b8233286539b1a048
ffd7fc226ac862e9c9a944e35a73a151e1399595030a3826482e15bc82b5af92
63ad94d4ee50e7edb7ca2125ea488538068aacd4d572be22fa140addf11631e6
d3250ddf26bb9a71c94d06f22345e5ac30959195923ed5ca12db747e6ab1e65f
df239887fc79b6383173c139c8b15dc8279eb9a78e2f526646e45c14ff888b33
03446d8b365fd8c5488bac87d3bf769afa578a0280cd63e8736ab66f9d6c6f95
afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce
0c21fd40425fd9f22814fdd019b69dad64538d8e4a49a38cf0211301d053a2d5
d1164fe7652f2c5c800f0227383ebbd77157e84ff84d6713e4a8ea3ff7d47f86
dc60d2664af0f3881cc494e9295e0534293254f1023c22aed8159c3f85f08a4e
a563ab0cc303385af151163bb2fe3bb88d6681f865bad186db4019ac84c7270d
21218005d2b9dab517e80b87bf4b135e876a18f0d48cd77b29ca89332c615b92
a417da4eec41ccce59772248286ee9bfed2d781aec33db52829fac3d5beddc97
8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902
931f38d16e4369c01166d7dac9bbe0bc28af3228b6fca5d4f23e6f06f2f13333
7e352106b797fd772547c6d0cdd113c888a9170cbf648b81fa136263e8e435d2

SH256 hash:

423b74c31eafce3794fda41ce93c87b2cdeff79f9f4f0395b376817617d5dfc8

MD5 hash:

6c72abe13cef23ec116f64c1aa8e2ecc

SHA1 hash:

304bc385aca3874371901f934aa7c0b147cf9985

Link:

https://www.unpac.me/results/e5ecb81f-3335-49d0-9438-4f046b8790d2/

SH256 hash:

8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902

MD5 hash:

07ff2e53678892b871dc14286df16edc

SHA1 hash:

2308987959856cd9245855688ef4779cf71251e7

Link:

https://www.unpac.me/results/e5ecb81f-3335-49d0-9438-4f046b8790d2/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8632a6cdacd3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/8632a6cdacd3c2ca44c427d1ef6bea4a9c16a7089a31f12fe79ba6e108860902

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV4 Create hunting rule
Author:	kevoreilly
Description:	AgentTesla Payload

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/2721711/

Cape

https://www.capesandbox.com/analysis/458734/

URLhaus

https://urlhaus.abuse.ch/url/2728715/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample