MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8
SHA3-384 hash: eb40483632554ee0c0e341c098d9a1d1cef3d7aebc975e9f595d3a235bd7e7884825dca5cb99b0eff65957090a9a42e6
SHA1 hash: c8408cc5f955d24f570a5d989f4b446f3474cb46
MD5 hash: 8a16dc06cc513c359a0c5b65e8263c0a
humanhash: lake-nitrogen-crazy-six
File name:givemebestgoodthingstobe.hta
Download: download sample
Signature AgentTesla
Create hunting rule
File size:17'288 bytes
First seen:2025-03-01 14:27:29 UTC
Last seen:2025-03-05 08:33:04 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3PBFJfZeRFJfrmeUsGbE99DdfkZ/RwlFJfZjFJffeyFJfCG:/LJfIbJfrP9GIflc5UJfZBJfGGJfN
Threatray 3'557 similar samples on MalwareBazaar
TLSH T1047263051C91BF520752E2CA0CEFC8D18A1C6F0F9910657E349E06EA032936C9DFC9E3
Magika txt
Reporter abuse_ch
Tags:AgentTesla hta

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BV.Agent-BVA.28791.16521.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c31a7e2dfba428b46f8f6f
Tags:
obfuscate shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8/results/dashboard
Payload URLs
URL
File name
http://23.95.60.47/Tuesdayconstraints.vbs
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67c3197d4a3011c802c4c676/reports/745847c2-1597-4402-8c53-19effa736e8b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1627167
Signature
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected Cobalt Strike Beacon
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
PowerShell case anomaly found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627167 Sample: givemebestgoodthingstobe.hta Startdate: 01/03/2025 Architecture: WINDOWS Score: 100 50 ip.1007.filemail.com 2->50 52 ip-api.com 2->52 54 2 other IPs or domains 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 15 other signatures 2->68 11 mshta.exe 1 2->11         started        signatures3 process4 signatures5 90 Suspicious command line found 11->90 92 PowerShell case anomaly found 11->92 14 cmd.exe 1 11->14         started        process6 signatures7 94 Detected Cobalt Strike Beacon 14->94 96 Suspicious powershell command line found 14->96 98 Wscript starts Powershell (via cmd or directly) 14->98 100 PowerShell case anomaly found 14->100 17 powershell.exe 3 45 14->17         started        22 conhost.exe 14->22         started        process8 dnsIp9 48 23.95.60.47, 49710, 80 AS-COLOCROSSINGUS United States 17->48 42 C:\Users\user\...\Tuesdayconstraints.vbs, Unicode 17->42 dropped 44 C:\Users\user\AppData\...\r5kflxyp.cmdline, Unicode 17->44 dropped 70 Potential malicious VBS script found (suspicious strings) 17->70 72 Loading BitLocker PowerShell Module 17->72 24 wscript.exe 1 17->24         started        27 csc.exe 3 17->27         started        file10 signatures11 process12 file13 82 Detected Cobalt Strike Beacon 24->82 84 Suspicious powershell command line found 24->84 86 Wscript starts Powershell (via cmd or directly) 24->86 88 2 other signatures 24->88 30 powershell.exe 15 15 24->30         started        46 C:\Users\user\AppData\Local\...\r5kflxyp.dll, PE32 27->46 dropped 34 cvtres.exe 1 27->34         started        signatures14 process15 dnsIp16 58 192.3.220.17, 49739, 80 AS-COLOCROSSINGUS United States 30->58 60 ip.1007.filemail.com 142.215.209.72, 443, 49712 HUMBER-COLLEGECA Canada 30->60 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 30->102 36 MSBuild.exe 14 2 30->36         started        40 conhost.exe 30->40         started        signatures17 process18 dnsIp19 56 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 36->56 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->74 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->76 78 Tries to steal Mail credentials (via file / registry access) 36->78 80 3 other signatures 36->80 signatures20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-02-28 19:40:27 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hr3fji4lpzqf3v3btnhk7vsfyiqdyl5bbzqfbait5lzdvb7zf6ua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25ab1b7614199df29e69ae59542d296f3482834c205cdbcfb7422b46b9c06e04
AgentTesla
2721334b6e632df9c325337f43656c1e2ed4afb5e0e1e1b74a55055346d3200e
AgentTesla
9e19f6b4011cfb241e826abc5e52b9e2c5b99966a661ab548b90691b06cb3900
AgentTesla
a32812ea87167fe0a9275823f6c873984de4dc7ece43895f02a175826aeecdce
AgentTesla
aba4d6ba306deaf02c3122060facf7e11d19da806321ac993c42461d4e9edcd7
AgentTesla
error
AgentTesla
fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
AgentTesla
+ 3'547 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla defense_evasion discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250301-rs5btas1bw/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
AgentTesla
Agenttesla family
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c7654a38b7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

HTML Application (hta) hta 3c7654a38b7e605dd7619b4eafd645c2203c2fa10e60508113eaf23a87f92fa8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3462288/
  
Delivery method
Distributed via web download

Comments