MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384
SHA3-384 hash: 4f309883b6dcf50f0e4abbbf168be757a35f62792728da493ce80be5af2a60fae624c9a9a340baae9aeb6a3afd6988bd
SHA1 hash: 9e17a2a3086810268ac8274b3993de90e2752f41
MD5 hash: a958b7255d484f1f3d76a316cda9d646
humanhash: colorado-apart-magazine-king
File name:Order Req.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'272'320 bytes
First seen:2025-08-06 09:13:15 UTC
Last seen:2025-08-06 09:15:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:htb20pkaCqT5TBWgNQ7aM3A21inUFjlQtKA6A:yVg5tQ7aMwuWUFjlu5
Threatray 2'579 similar samples on MalwareBazaar
TLSH T1C845DF1273DE8361C3B25173BA667701AEBF782506B5F86B2FD8093DE920121535EA73
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 34f4ccccd4f0f0d4 (1 x AgentTesla)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Req.exe
Verdict:
No threats detected
Analysis date:
2025-08-06 09:16:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73eacf0c-fc15-41ed-b163-c4e92792f332

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19157/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68931cc411d7f9b979e60002
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
BSOD occurred
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint keylogger masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68931cc69ef4d2ff7cedb822/reports/a666fb1b-f2c8-4b72-a8a7-df79b568e8c0/overview
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d445c2d-7279-40aa-9828-0b6cf8c434d0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751208
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Binary is likely a compiled AutoIt script file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/a958b7255d484f1f3d76a316cda9d646
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 01:23:26 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yoxtsffmitrwbzowhnak4pjn6d665v3yergen3lm6qjc4p5oyoca._file
Verdict:
malicious
Label(s):
unc_loader_036
Create hunting rule
unc_loader_001
Create hunting rule
autoit
Create hunting rule
Similar samples:
0a36f604c1dfb7297c21f2b74600caa5df81ae43c9c1824e4a8de425b0dfaede
AgentTesla
6584f13ecd514b59ef380f0fa106ef5f6ef53e2bb39e0da02947e83de62f6444
AgentTesla
681d856fffd8a6f16f3b0f62f6aad5cd1adb042be504b3e9dcbc5ed469d7450f
AgentTesla
796d34138fdc6bd505ee0babe7170a11d7c1f7bb5c4171732a64c895aa0872d1
AgentTesla
d4980a2c4b12511d3b4d42b321f438d239772eae4ea9806f3b2ffc11f707bbd6
AgentTesla
error
AgentTesla
+ 2'569 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250806-k6z6pagk6v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/de558fd7-46ba-45a2-b344-c60f92c16fb3
Unpacked files
SH256 hash:
c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384
MD5 hash:
a958b7255d484f1f3d76a316cda9d646
SHA1 hash:
9e17a2a3086810268ac8274b3993de90e2752f41
Link:
https://www.unpac.me/results/ea2282c9-6f37-4e62-acd7-d400f87e3d2d/
SH256 hash:
b95d8d39d7e1df296c3f8a911ff092fbdca0d82bf21c4fda01bdd666c0ce0f14
MD5 hash:
6cf52635d3a74313f1e4016728eeed17
SHA1 hash:
4fe402ca3d4fd24af667920a66bdffe0fb821339
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/ea2282c9-6f37-4e62-acd7-d400f87e3d2d/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3af3914ac44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c3af3914ac44e360e5d63b40ae3d2df0fdeed778244c46ed6cf4122e3faec384

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19157/

Comments