MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804
SHA3-384 hash:	fd645d063fe1f647ac786784375978c809fef5f2e1f2ca9cf8ba3a4a9ec6539fc413e86f2f100168e8a5219a0f2690c9
SHA1 hash:	2068d5fc7c011f5356c0e419a8d4e1836ac635d1
MD5 hash:	2b8d52006fc4f5c0dd8dac75f2d315ae
humanhash:	alanine-social-nebraska-mobile
File name:	rDocumentosdeembarqueCI.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'110'016 bytes
First seen:	2023-12-21 16:49:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (434 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:ek70TrcN/imA7oFkT2F5RvrFyBWTipXFT:ekQTANahcG23RjUBRpXFT
TLSH	T1B735E056F58092B5CC29A3702471CA7407267D6BEB79648F6BCC3E6B3FB21E20176487
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4d4d4d4d4d4d4c4 (7 x RemcosRAT, 6 x AgentTesla, 1 x MassLogger)
Reporter	FXOLabs
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

277

Origin country :

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/468833/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL

Porcupine.MSIL.Downloader.Agent.JQI.200399.UNOFFICIAL

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lolbin net_reactor packed packed

Link:

https://www.filescan.io/uploads/65846cbef4b6e5e163539499/reports/6504ee8d-68a5-45ed-98ec-2a6feb9e730f/overview

Verdict:

Malicious

Labled as:

Dopping.Generic

Link:

https://www.hybrid-analysis.com/sample/2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fc1013a9-3fad-4c3f-a9b5-9d82659b6b55

Result

Threat name:

AgentTesla, RedLine

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1365689

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804/

Threat name:

ByteCode-MSIL.Spyware.RedLine

Status:

Malicious

First seen:

2023-12-20 13:36:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fqisvjrqh4dlvql66zny4ovfz7kyfyvk6bhaanwdsilnrfs23aca._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231221-vb858adfe2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

AgentTesla

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1186834019627827270/y0S-n-hBE1jR15tIr1j1sESR1UsUyFoPzm0ZqLatEGGEP8xXdU9hk3RwMYMEZqV8QFo2

Unpacked files

SH256 hash:

9502087baa2098fb815db86b52c221116762bb76e6e8a9cafa956261187b5e34

MD5 hash:

f29633fc82cbbec493fad8c5ca738f02

SHA1 hash:

ccc7c9fe1ff49da9d4bdbcb258f84900900d59e0

Detections:

RedLine_Campaign_June2021

Link:

https://www.unpac.me/results/cada02ce-fcac-48ef-9fba-1635e684646c/

SH256 hash:

768d7431989d92ecd6d29589560c7f2f7ddaf40dc1111987b33ff5a9381d7945

MD5 hash:

1e032de6b4660e8a3c923d5b64024ea2

SHA1 hash:

c1fe432a5a0ccf98385307a12c64a9528c6fc172

Link:

https://www.unpac.me/results/cada02ce-fcac-48ef-9fba-1635e684646c/

SH256 hash:

e5b13156ba57cb8804e0caa4ddc153dcbfdd6cd6b3e20e83c9f7411fc5bdd848

MD5 hash:

57f87511fa7a32339715140215909902

SHA1 hash:

7dd3ed7cbc7b0a22366584b2cc0357a2b0e56358

Link:

https://www.unpac.me/results/cada02ce-fcac-48ef-9fba-1635e684646c/

SH256 hash:

4b4c575d3b81409b1a0f8eed37e1a803474b0472d6cc63f253aaddaefb0d11e6

MD5 hash:

fddc458e56dd9a3696508cffd9ef1f71

SHA1 hash:

109bf00e0ea7d80a5cf08294c78cabbd6240f9ac

Detections:

win_agent_tesla_g2

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Agenttesla_type2

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_DiscordURL

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Link:

https://www.unpac.me/results/cada02ce-fcac-48ef-9fba-1635e684646c/

SH256 hash:

2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804

MD5 hash:

2b8d52006fc4f5c0dd8dac75f2d315ae

SHA1 hash:

2068d5fc7c011f5356c0e419a8d4e1836ac635d1

Detections:

MAL_Malware_Imphash_Mar23_1

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/cada02ce-fcac-48ef-9fba-1635e684646c/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c112aa6303f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 2c112aa6303f06bac17ef65b8e3aa5cfd582e2aaf04e0036c39216d8965ad804

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468833/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample