MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
SHA3-384 hash:	aa694c59de532299e8ce8f50b804533e265e7a04f96150e44da5ff4fbf0a9e51ee6eebf2accb206fcd6711531a12552e
SHA1 hash:	898f8859caed79f460c235438981c45f976b2f6a
MD5 hash:	f8093ccda978921f5cfe758d29e5e14b
humanhash:	utah-december-september-music
File name:	SWIFT COPY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	699'904 bytes
First seen:	2023-05-18 23:31:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:lXQ7FbA+pIYTaTlpQRroQhFdLUHDKL4+Q7pvLN:RpT8rfmj04z7pz
Threatray	1'440 similar samples on MalwareBazaar
TLSH	T191E4BF5062645B92D3BA8BFA4134050407B935A63C3FE2289FDF20CBBAB3F465A55F17
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	threatcat_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SWIFT COPY.exe

Verdict:

Malicious activity

Analysis date:

2023-05-18 23:34:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5ef55d04-cf0e-4d85-87ea-add69a3d7a62

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67070139.8963.5168.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo crypter packed phishing

Link:

https://www.filescan.io/uploads/6466b57475f687672ac6ec1a/reports/640d2b7b-e7f8-48ae-9709-3c8a11893fb5/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1130b8b4-827c-4c58-a4f1-01ba0cec11e4

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1236528

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b/

Threat name:

ByteCode-MSIL.Trojan.SpyNoon

Status:

Malicious

First seen:

2023-05-16 00:46:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 37 (64.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hrqdz7rzd6n4ur3y7tpq7hjbt6xy2brcbdptoj2wndvvnbxxj4vq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4279e95d6e73bfee362446cb9c60671a50847f6830f990b085b1c91e1491d9af

AgentTesla

4581026ca8972214b08a22a0b621d607997da7586b828e02bfab11a5ca5de33f

AgentTesla

7d4221474c9d762be541c0a9dfe4b551b7d287f823246f7482795a9d628bbb78

AgentTesla

9ade1aaf821812d038b9bab451e0b48fad06c688e738a522e2d3d9947421209a

AgentTesla

ac34616497579756a7a7785ebbb39a75631272497dd7b2404ed00245741a3b5b

AgentTesla

baa855589cec9a4aeff9575393b8f2a46f5e2251dfc8f8cc009c5a6690ec9409

AgentTesla

baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e

AgentTesla

d9672edbb45fefa3ca9a12a91c8d27727f3e5262c76cac9efbf67925d6d6fb78

AgentTesla

+ 1'430 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/230518-3h9dkaeb58/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

e716c28da32271316071e0460558fc53ba94911dc383ede290e208809a54a36c

MD5 hash:

23b248d6255bf288ebbd80f0f44f816d

SHA1 hash:

fc3f3408ddc8731c117f054757377f21ec9dc2bc

Link:

https://www.unpac.me/results/7d1944df-bf3a-42a9-96ed-900756594d0e/

SH256 hash:

9731bc7a126abc587dd3a349b86135dd11833c29d98fac34478175ad1dd39135

MD5 hash:

04699b118ce9c4c66592396a06303653

SHA1 hash:

f326f83f0c06dd81bc2bf72e52c2619be5b11e59

Link:

https://www.unpac.me/results/7d1944df-bf3a-42a9-96ed-900756594d0e/

SH256 hash:

98038b763950f8de3efffa83da020669fbd376492deb24c75b25bbd4a1c2ce07

MD5 hash:

aa445eee133a93b202ea105e5de4e232

SHA1 hash:

c0968cfa259d38fb80af27465c314ba889b08296

Detections:

AgentTeslaXorStringsNet

Link:

https://www.unpac.me/results/7d1944df-bf3a-42a9-96ed-900756594d0e/

Parent samples :

baaba65de7ee0a52274e439f9cfc6e1ad5e55f74dc43644c33c27863c99f9c4e
3c3e9ce2a4c9d2022601a66e6753d37cf92ae3940e87e62b46999eb4411264f8
3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b
91cdc121ddcc77ba9e01963b2ff1a92192cd4a7804915a67b598f69d457160b3
9c44d5b30c9ec1d5b163c227b65b54071d90f1d9569ad813c957a53db97c2463
47438e1a176f18053c6a9de8c2834a3d5ffeb78bb7efa09c6dea99aa7da44991
a357b85560b1159abbca744e8226315663cfa2d3778046eaedfe82dc293446e5
16e86906a50c4074a713e5484b31624aefe36f3b9ffecb8e85431afed61f723e
fe304cb0925bffe7c7314fb8c4bc50c15b82e49c81fe176c8482ea1ed6f51bc8
b5b3f18d4a9208ec2a9b1b8e1d1e1e8dfa6f6b749223fcb021839038d015d92f
892887bf977985a7b3c64ac19d31facf3af7e783b25173665c8cc48d804cca45
9cd47c4593254f37eb5bef6b0d887f7132ce6d9678af33799da736d6073382fa
65cea55d24d19444f39704ab0836a07e7e89a99b244abfad347516b14f58af0b
12d37f94ebe64d74e7cc1a4290af6797832b512a223d03d410171f47cd979065
cbbc5f54c9881799f1acef2bbfe3b81dd01242fd9694bd6ee9deaa44d90319ef
cc1214e080d2525cf0b00c622186d0f78a228d3f6dc933cad0f0114d505a73f7
e5dbce139ab26dc9f743ca4161894d49adddd7c9bd0f1ac4adf4177aec479b69
0501f9ee9fe9f858c159e067280b30badb60ce0e430abb1e60b3581edd8a971b
0725b0bb5b536502fd3a4593864bbf3b25dcacc3b3259162080909284c1348de
b79d3384f353bf024148b984f6d96e272c30b7547a00fb5d6f05524dbcc435a8
dc0e2395ee3f6a75876ca8cb0b8a876ac8494dc0d317a432ea5d1ba758296063
b1dd2f23a4e0925adcfe19c55bf701af33e6d3d66f3fd1537d30ea7ceddee9a4
cabf5777651e17c1d64384cefbf5f7ce2fc7abedff68901c96174dd16612caf1
f25d6018d3bab1f7651937b7b8e618979ea3c45b06e42e3d93e8b59cac9d46c3
be9496d0210e6343ea547889586015ab09bd8d25061f154a3f9f0922ea5a61de
37a72a158a2325b4967c6b2a9835fa722b6ca3789316c6120d3f263bfb6c15e7
26a294c50930c0cd9fbed08dd7fb63ea59bd2300eed46c452de0b4c5f7b95309
0828689925ecabda99bd3939a58b034387e6cd4c153c7652a0450d93010ccae3
0c250b21da631c5356630ff3d17f09a6da38a4c619f534b8f0be9d360707c9d4
83b11e62d88278fd953ef2496d6e6217d314defc55f7ba1fbb4d0a00ec6651b2
fb1c133bb4d681619adff92051b62f07da505ca6f15906b4fbb125bd65b1f190
9e2f5bad6acb0454f71026526cb9d5d78985ef6e566b433b04ba7aba5b277ddb
4316bebd7893238fab61d5cc2a4bdca1d65ad8f631347c949485b0c3a3b1353b
e2811e462b73fc7c62941b8472d9989a048509e8e6aed7012bc5f786d0f7bbe7
90d63293d26ff8d79d3cb130d63e4d69646527a8c61ea5308288980fcfd5189d
cbc632ae3dd2c72c24bd2b4ab8e53ff56aa2e742911ec9512432f0788b104e3c
93184419005707ae02f08ee38bf8381c4a87fc14a9715fb660ad48f6e1665f98
174e2237b3157582189f15393ba0a1771ac0fb62fb479690b46de1b61071b491
244ca73815a8c8303d9738bf0dd0fb859736fc69ea5103329ba2f6be2f9637eb
8c72d6594c46c605916cf3456b84810a1982c7f62f9c66d7eeb12bd0da0e82d0
e0a14b9acddbf73d270c2eabf671ce58e1c2aaa237ccf2de320efedc947b6ccc
69e82246e2a2444321ad9c8c84a445b8ec6b18702c2407565cae60e07b3823ef
4fb354ecdf9b230311b7b6bc60b1016f5f17653a1653e1c6fa1fbbbc92a08a30
e4319322a73a875512b80a2cc5bebf8c963f3e657258a6e7afd90919c8553fdf
40b4f0f7a724e1dc0abb235b73cbd1b50defaf387fb18b5535197607311056d2
a988d3605915b2f831729ebcde7d9ef7d169a549f3d3b7b1de604a9c07abee14
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
8dd68257e8d07b2e0d25da886cdb7cb487085b99a469984369d486812596ea12
26794f7598febe976fb23ad9abe87ca823f65730957ce7821ce5bc9e6dbfab92
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774

SH256 hash:

0d2535df52c47c60d6cfa785180052a5fd00e5e173cf8c062c7eb9cb47cc9a0f

MD5 hash:

a9b2bf5de2d751ea787aca0fd38c7322

SHA1 hash:

51150fc2888d9862fc2899ff76ba508480db74e9

Link:

https://www.unpac.me/results/7d1944df-bf3a-42a9-96ed-900756594d0e/

SH256 hash:

d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218

MD5 hash:

e5d93dadd08b8bc727e4f4853c6881ba

SHA1 hash:

27e0e057d33f01586193b0cbf06561c2863951f4

Link:

https://www.unpac.me/results/7d1944df-bf3a-42a9-96ed-900756594d0e/

SH256 hash:

3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b

MD5 hash:

f8093ccda978921f5cfe758d29e5e14b

SHA1 hash:

898f8859caed79f460c235438981c45f976b2f6a

Link:

https://www.unpac.me/results/7d1944df-bf3a-42a9-96ed-900756594d0e/

Malware family:

AgentTesla.v4

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3c603cfe391f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 3c603cfe391f9bca4778fcdf0f9d219faf8d062208df37275668eb5686f74f2b

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample