MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c33ca69721ea834bbcde665ef950aa66c77b237784cce98173d97315be08d17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c33ca69721ea834bbcde665ef950aa66c77b237784cce98173d97315be08d17
SHA3-384 hash: 4911f78abfd94aa59acb46cc6cd15ddbdcb7c30a3edee1ad7f8e7242b2188a01436cd0c1c8f46aa77282300621b78283
SHA1 hash: ed969e853e8bee7aa17a147020d5b0e728b3f74b
MD5 hash: d5a189014891871d54b94fb86f10f5a6
humanhash: helium-cat-yankee-pasta
File name:SecuriteInfo.com.Trojan.DownloaderNET.105.30936.26237
Download: download sample
Signature AgentTesla
Create hunting rule
File size:20'992 bytes
First seen:2020-12-16 19:42:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:Ne7q0eRRjb9TKAGkQoPAEM4cJMjubLtGDgf2hN:w7q0cRjb9TKAQWnqUUf2hN
Threatray 3 similar samples on MalwareBazaar
TLSH 05922A5067187912FA6F9330B623D093772127B733E78F66A829928DD5D1B901C8DECB
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Product list.doc
Verdict:
Malicious activity
Analysis date:
2020-12-16 15:54:10 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/110f5e0b-b987-417e-a44b-c97be1bb24b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.105.30936.26237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/564701
Signature
Connects to a pastebin service (likely for C&C)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331445 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 16/12/2020 Architecture: WINDOWS Score: 52 20 Multi AV Scanner detection for submitted file 2->20 22 Connects to a pastebin service (likely for C&C) 2->22 7 SecuriteInfo.com.Trojan.DownloaderNET.105.30936.exe 15 3 2->7         started        process3 dnsIp4 18 hastebin.com 104.24.127.89, 443, 49719 CLOUDFLARENETUS United States 7->18 10 cmd.exe 1 7->10         started        12 WerFault.exe 23 9 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 timeout.exe 1 10->16         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3c33ca69721ea834bbcde665ef950aa66c77b237784cce98173d97315be08d17/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 17:30:43 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqz4u2lsd2udjo6n4zs67fikuzwhpmrxpbgm5gaxhwltcw7arulq._file
Verdict:
unknown
Similar samples:
9bc650ba9819e8eb7ad716636f7d104883e1c69259cbe4bfb625fe2d8032d479
AgentTesla
dc9b8828197d36f63999e8835193ef7bf23091fae5216c375059dc168432f3b9
AgentTesla
e9575adae2fa6afb6b8d8fb098feec9d4acbadabda4beeca90433b578cd6afa1
AgentTesla
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201216-a5ntsvc9mn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3c33ca69721ea834bbcde665ef950aa66c77b237784cce98173d97315be08d17
MD5 hash:
d5a189014891871d54b94fb86f10f5a6
SHA1 hash:
ed969e853e8bee7aa17a147020d5b0e728b3f74b
Link:
https://www.unpac.me/results/3ec60d7f-fae7-4891-b298-195a8a40b664/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c33ca69721ea834bbcde665ef950aa66c77b237784cce98173d97315be08d17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3c33ca69721ea834bbcde665ef950aa66c77b237784cce98173d97315be08d17

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/923305/
  
Delivery method
Distributed via web download

Comments