MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162
SHA3-384 hash:	5069644b3eafb5fa623ab7f6847fba6cbd89831bf413d5d8b77ae0f831520750d25ecc00906e3bd0a856ba262cd8e523
SHA1 hash:	b820188b7c9417fdb55e336aef4c5ac31c3fa94e
MD5 hash:	85736bb4da9fdc0660a3c6fe2ed2e284
humanhash:	indigo-oranges-missouri-single
File name:	pQBto3pAQGDaLCS.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	527'872 bytes
First seen:	2023-05-11 07:09:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:KqUumxIP290VbLtSIi5ysoZSzZHedtmZIyIbnzSbz:0umxIU0VgIi5XoZqHeWAm
Threatray	1'081 similar samples on MalwareBazaar
TLSH	T1FDB4BE85123FBFE2D96407F1221834534B7DA11A71F8F0B86D5BB8C9C8DAB215BD4A63
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

pQBto3pAQGDaLCS.exe

Verdict:

Malicious activity

Analysis date:

2023-05-11 07:11:40 UTC

Tags:

evasion snake keylogger trojan

Link:

https://app.any.run/tasks/749500a7-9628-4016-8c78-be37d84c5563

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/388352/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645c94cc1114aa6fd98aecbf/reports/b526213c-741e-4817-962a-483d819bba7e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a0df5ca0-aed5-466e-837d-cdd45c948376

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1230594

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-05-11 07:10:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ymo3eqex2f4hmp7s3i6vkxr5xivnnywqkxe7elq2hifj6kdyifra._file

Verdict:

malicious

AgentTesla

1990292761ec740bbacef00eb11ce5d812011391813723ddab04ea0246249625

AgentTesla

1a3b961a9b5d76e0028382423f14a35192cda3d3a6dee88fb812c90b1971bf2a

AgentTesla

21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751

AgentTesla

2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b

AgentTesla

57ff6de510ccaa060efa53e2c9e1c1b8c3b132fa55289a8a7ecc321a5370043a

AgentTesla

8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3

AgentTesla

8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357

AgentTesla

e5615a6c90478a371040d8f7d4721e183b5efcc0b0e6ce64b7ab4ee1d04bf0be

AgentTesla

+ 1'071 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/230511-hzdb8scc44/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35

MD5 hash:

8a2c496875c0871aecc16aae768b323f

SHA1 hash:

f5423a32125c70b512de301c5616c7b75477e2e7

Link:

https://www.unpac.me/results/0d431edb-81fb-47ce-9179-8e3aeebf4d04/

SH256 hash:

19bab8168b0fe7e2e245caddb7073f087a0380006f1735659c62a3098035aecf

MD5 hash:

29f52fdfaf2edf07b4e9ea343822e379

SHA1 hash:

d92c0fe91fa6f346e658e7ec58a0e4396a781ae0

Link:

https://www.unpac.me/results/0d431edb-81fb-47ce-9179-8e3aeebf4d04/

SH256 hash:

c066a43b331f17e260ec5cf12f12ed303f65862cb94e27faaacb823320a04d85

MD5 hash:

911fc9c6d4a60334c08ca7c9315b06d3

SHA1 hash:

aecc0d491f2cdab90383b7cd50334b866d6ec0d9

Link:

https://www.unpac.me/results/0d431edb-81fb-47ce-9179-8e3aeebf4d04/

SH256 hash:

b578a9823aec474eef9633252f2e3db30c6e751d026422ca08e958ec1b425786

MD5 hash:

81162ffad0c82393f7b78eea996a57db

SHA1 hash:

4ed03d5e2eacad54ec45fed42d03b5a4e3d629c8

Detections:

win_masslogger_w0

Link:

https://www.unpac.me/results/0d431edb-81fb-47ce-9179-8e3aeebf4d04/

Parent samples :

1990292761ec740bbacef00eb11ce5d812011391813723ddab04ea0246249625
c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162

SH256 hash:

b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4

MD5 hash:

7b6143d9d94c8b80d191b77d8b6d1ba2

SHA1 hash:

1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b

Link:

https://www.unpac.me/results/0d431edb-81fb-47ce-9179-8e3aeebf4d04/

SH256 hash:

c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162

MD5 hash:

85736bb4da9fdc0660a3c6fe2ed2e284

SHA1 hash:

b820188b7c9417fdb55e336aef4c5ac31c3fa94e

Link:

https://www.unpac.me/results/0d431edb-81fb-47ce-9179-8e3aeebf4d04/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c31db24097d1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe c31db24097d178763ff2da3d555e3dba2ad6e2d055c9f22e1a3a0a9f28784162

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388352/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample