MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 14
| SHA256 hash: | 3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d |
|---|---|
| SHA3-384 hash: | fc88f43d46b6366154252588e98719e25b58fad3f23bd58649e8b37dd31ed3d508ace048b433ff5b6ce9e6e1afa67a8a |
| SHA1 hash: | 875d611145baea3825298a33b3ec3f5080ff4f27 |
| MD5 hash: | 65f71df7b2621627437f8e0d30374766 |
| humanhash: | crazy-winter-single-william |
| File name: | Swel-Lista av föremål.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 616'448 bytes |
| First seen: | 2023-05-11 09:26:42 UTC |
| Last seen: | 2023-05-14 18:41:49 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:jqULmQVF15ylsYtFwuZdYLdsVVc9g0qPWu3zycsuVKJ9ELmzRcEz:rLmQVZSRXUxsVGmP/OcsuExFP |
| Threatray | 3'386 similar samples on MalwareBazaar |
| TLSH | T1B8D4CF88133BBFE2E9A417F0215434524B3DE11A75B8F0BC6D5BB8C9C99AB114BD4B63 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Reporter |  lowmal3 |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
4
# of downloads :
288
Origin country :
DEVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swel-Lista av föremål.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-11 09:28:41 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Verdict:
Malicious
Result
Threat name:
AgentTesla, zgRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Status:
Malicious
First seen:
2023-05-11 09:27:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 3'376 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5932003035:AAGiWu3EDh9FYzqRKIySebzjjQ5uW0afS3o/
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
SH256 hash:
3ded12ee05d875ade213733aa21414fdd134897f5da3e81ce044ab4226214fbd
MD5 hash:
65737e02f9bc7df10ee85ee150cc774f
SHA1 hash:
931702ae14d31d1be15f54b51a0d1437e4dc9f12
SH256 hash:
cf83ebdd131f41a6d18026a3cd4d652dfa2d229565e5f4fed5ad3c9ffc544f53
MD5 hash:
bd09e6b84f43b13f3faa7d41792de99f
SHA1 hash:
6ad2ea32c617b9af7769034012bafba6f26b7baf
Detections:
AgentTeslaXorStringsNet
SH256 hash:
5640723e3ce36a7da4990c0345a233eee79bd040c668e3ef0482ef3830bc97d5
MD5 hash:
caa2fd4180b063525b2adcda16a2fd56
SHA1 hash:
24565eff9b0cd7c509514eabaa426b37144c436a
SH256 hash:
470843af8524c83ccd4678656e9b80ba9f4b2f0ea2fb2795fc503a39447b73ad
MD5 hash:
5e56949ac44063fc4255a0835546c814
SHA1 hash:
01511242a41619dd49caa899f05441c7c36d0af5
SH256 hash:
3298c3e6f25b777c9f772fb1d5123472df0b1046000598d9ed00bd369a56124d
MD5 hash:
65f71df7b2621627437f8e0d30374766
SHA1 hash:
875d611145baea3825298a33b3ec3f5080ff4f27
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.