MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd
SHA3-384 hash:	ff26e9bf0a9ad94f2b3aff08f807ab430290864de6a94198b6d3c6a2d514551340c34b6db5bfad3a8fd6e04c7c00c564
SHA1 hash:	31b6aef080ee864059e8a82d8d9d2b3745578f2d
MD5 hash:	11ecf3ab5737650035ef7e9a3c57f80a
humanhash:	may-johnny-alpha-oscar
File name:	5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	779'264 bytes
First seen:	2023-03-08 12:13:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:2dj50i653yhXyiQmHE1ODGK90f8EcgeL5KDmCxkFTmcj+f8p5:e50iE3yhXyiHE1ONe5eFKDmrFTzj+U
Threatray	544 similar samples on MalwareBazaar
TLSH	T13BF40255B3A1C126C92824B5C4D39C6013F11E93B633DA0E795063A36F932FE9E57B8E
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	4f07090d0d014f8c (47 x SnakeKeylogger, 17 x Formbook, 13 x AgentTesla)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372556/

Detection(s):

SecuriteInfo.com.Win64.PWSX-gen.21877.11360.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/64087c0e23801f5963545ad4/reports/36107f47-d514-4dda-8b52-79cc6233ec55/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd

Result

Verdict:

MALICIOUS

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27ec8070-becf-40a1-bb92-37413815b12a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1189397

Signature

Allocates memory in foreign processes

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-27 04:17:00 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 39 (48.72%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lq5cseuvrp7txugslmkbumtrp4hxytd3cci2eyyyk2kmf53z6pgq._file

Verdict:

malicious

AgentTesla

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

AgentTesla

34b51359ad6122847ab773704dd928b28eb69382bacc7575278f2b25af583ac5

AgentTesla

8271b73c229772949561931797ba49d42098a5f9eb97276252462ba7c1261951

AgentTesla

a878bb11a3506ebd1b50a752517e2596455a7700f01a80859c0e3012ac15f09a

AgentTesla

e27022a26d1147b9ad82d55e184c6a5a6d7deb4e405236fb416123a7c648f8b4

AgentTesla

f07483b6c09732c8d5e094bd2e2b405477ddbf8e220c12bd7982bc132cf44a04

AgentTesla

f9b608b8ea15f9e8148eaa73ea96e2eff983b808f9d0cb2f27d833ebebc165f8

AgentTesla

fec6af49d1a7c7b4bf3af5e663b80ff142788e7d79b312a2180ec7b8b89f18d9

AgentTesla

+ 534 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230308-pebq8sgc45/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

.NET Reactor proctector

AgentTesla

Malware Config

C2 Extraction:

https://discord.com/api/webhooks/1077566111689740349/gnJjTpoCwEM3PNDQkU1Kb4C12Er7lUmsBkWDapkU4UnedFpWqrRphmnNJUx4027RyZXM

Unpacked files

SH256 hash:

5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd

MD5 hash:

11ecf3ab5737650035ef7e9a3c57f80a

SHA1 hash:

31b6aef080ee864059e8a82d8d9d2b3745578f2d

Link:

https://www.unpac.me/results/df1b74e6-9b00-4577-bd96-e0a1adfe0eb6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5c3a2912958b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/5c3a2912958bff3bd0d25b141a32717f0f7c4c7b1091a263185694c2f779f3cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/372556/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample