MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248
SHA3-384 hash: 4b52d04842318420f75f98b49ad8f0dfaa33fe81134cf2c07b847f0cfc2ba0359b692e9afc8b8a604a45e96829d72e86
SHA1 hash: 7ea30e4df73e190e86f0965a743271632fa2b838
MD5 hash: 9cab33d5a009f172c6da95483dcb1e39
humanhash: fourteen-eleven-island-pizza
File name:QUOTATION_JUL7FIBA00541·PDF.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'420'288 bytes
First seen:2023-07-12 06:27:10 UTC
Last seen:2023-07-18 11:40:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:YijgHRq0p5Bsc/n/8yaErOzGa6DG0FhP:YiM8I1//xYGa6S0Fx
Threatray 2'264 similar samples on MalwareBazaar
TLSH T13B657B626527294DE9293176D052F36D86458FF84D37DA4CFC4AB21EC273B831CB8A87
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b270e4b2d861b0e0 (11 x AveMariaRAT, 10 x AgentTesla, 2 x XFilesStealer)
Reporter abuse_ch
Tags:AgentTesla exe scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
257
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
QUOTATION_JUL7FIBA00541·PDF.scr
Verdict:
Malicious activity
Analysis date:
2023-07-12 06:38:00 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/8dff5c3e-4e64-46ab-becc-5fa580eb9fa3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/416341/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68096378.14862.18868.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a window
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed1b16db-8a0f-4479-9228-b309876d9445
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1271601
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 08:31:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
18 of 24 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqqstyohwfklu4g4waidlwctr6ajfvijd44ajcqcevgminlqcjea._file
Verdict:
malicious
Similar samples:
3f76054b9bf791ef9397df1dc505e7cc8dcb87a39a2e238e71693dd0c3c3553b
AgentTesla
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
AgentTesla
5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0
AgentTesla
66ec3c9fb1339c6925fb508c17190aa7869e24b149abcedd771aa53ea9de27fa
AgentTesla
73e288b96b3f5a85046fc0ad2d5864b65c01d1f673943f0b35179af4ce39eff5
AgentTesla
97b9d63fe195249b2862a13c72cc88f4cb736f846eb91188de18984c231d168b
AgentTesla
98f78a6c3ba93ab5350b3d148455261b214e9f29836f56305a0f8f72a7690d4a
AgentTesla
ae025809e03a89496d161b722b94d9ce5eb1f0bb74fd8c814fc82a9eac757c3f
AgentTesla
+ 2'254 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230712-g8bz4adb81/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248
MD5 hash:
9cab33d5a009f172c6da95483dcb1e39
SHA1 hash:
7ea30e4df73e190e86f0965a743271632fa2b838
Link:
https://www.unpac.me/results/13734997-3959-4a13-8406-503a1e3c3793/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 3c2129e1c7b154ba70dcb01035d8538f8092d5091f38048a02254cc435701248

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/416341/

Comments