MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298
SHA3-384 hash: 2cae4a0365a3fefad0631508245a88ecc8143f4f4b846e123ddef78ccb40161f4e61325097c09e29368c5e11bf27ba43
SHA1 hash: dc4c792c6e91e38264056bcd1e0a48639a0f7b10
MD5 hash: bcf87ed1acd1a28a79149e35660a43cb
humanhash: blue-seven-avocado-mobile
File name:AWB Copy ,6020154744.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:554'496 bytes
First seen:2021-01-26 06:41:36 UTC
Last seen:2021-01-26 06:42:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:zllAgvbNlNdRnkj8zmJv8Xa1bPx/2oyxQ74iqEW19TdTCVT:BFR/dRkL8Xa1bl8Q74IEZTcT
Threatray 2 similar samples on MalwareBazaar
TLSH 68C4E0722388DF65F1BEB77D8070111093F0E817E723D69EBEE415EA1A5AF448267A13
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB Copy ,6020154744.exe
Verdict:
Malicious activity
Analysis date:
2021-01-26 06:48:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f39eaae9-5902-479f-a4d9-ae0a03dbf4b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114615/
Detection(s):
SecuriteInfo.com.ArtemisBCF87ED1ACD1.31943.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/590255
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 03:04:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsadfxos655bjbrji3mi5skl74wuf2tljt2zvquuemt7e5ncukma._file
Verdict:
unknown
Similar samples:
77d54c4049d7d7beca2c7f4897882ca793587b22def49d1b2268f6707a17285a
AgentTesla
e3e1334530a63bb70e51fdd7c28ad51bfcdff8022d393a8dbbd6a398e90ff12c
AgentTesla
Result
Malware family:
n/a
Score:
  5/10
Tags:
ransomware
Link:
https://tria.ge/reports/210126-nclh28l63s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
80ba65181c5e0e8a73dcbd9c0f7f66da0c8ad1bf24cc23c576b26ed209efaa8d
MD5 hash:
88eb2704f7bc7cb9073a5bbe6568a90f
SHA1 hash:
cb7cd2d5a75bf75258411939f51a54f00122324b
Link:
https://www.unpac.me/results/6a50f509-1627-4a91-b5a5-8dba9b791176/
SH256 hash:
321a00830544cd9e677c91f48c120d46e9af041dc15c2bb42da549b965aa9d07
MD5 hash:
cc38e1edb3f379260452c09eecc74a18
SHA1 hash:
9fbc5476196ae2f17e932f327c7b46452b0752cc
Link:
https://www.unpac.me/results/6a50f509-1627-4a91-b5a5-8dba9b791176/
SH256 hash:
7f7cbf9097dcaae0df6e80f27bacae6442ffd99379325597f45d52b7eeae4f55
MD5 hash:
9e180ad6c58426cfced5e4ce564d3e78
SHA1 hash:
795bd75cc9eb7ec14acd54d67ec4470e80d95ef2
Link:
https://www.unpac.me/results/6a50f509-1627-4a91-b5a5-8dba9b791176/
SH256 hash:
3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298
MD5 hash:
bcf87ed1acd1a28a79149e35660a43cb
SHA1 hash:
dc4c792c6e91e38264056bcd1e0a48639a0f7b10
Link:
https://www.unpac.me/results/6a50f509-1627-4a91-b5a5-8dba9b791176/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9281dfee00f305e92e5e98ddc1da570c217a35fe7a5ecc2c98bedc53b6797d38

AgentTesla

Executable exe 3c8032ddd2f77a14862946d88ec94bff2d42ea6b4cf59ac2942327f275a2a298

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9281dfee00f305e92e5e98ddc1da570c217a35fe7a5ecc2c98bedc53b6797d38
  
Dropped by
SHA256 dc6423302f5bb16313b3eb2baef1fb64da923b750c3b7e39d848953140288234
Cape
Cape
https://www.capesandbox.com/analysis/114615/

Comments