MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c
SHA3-384 hash: a078b33c6e2bb048a8eac6b5ec26daa04fc92b327ce65270c95450eaaca273b4a1f4030f6ced1a0e48bc2b0f8e369092
SHA1 hash: 8d41d3eeeb9108327da8cd9e235430577380e751
MD5 hash: 5d7e6884e2e410265c71fc06c62a10d0
humanhash: one-fanta-salami-stream
File name:5d7e6884e2e410265c71fc06c62a10d0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:452'608 bytes
First seen:2021-03-31 07:31:48 UTC
Last seen:2021-03-31 08:50:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ec18f4d9317b5556304720b9775af997 (2 x Loki, 2 x AgentTesla)
ssdeep 12288:6Xh6FWUvRr2Ly9Q7OnEOF+JuVO0EyTgvpXp16DY:6Y3iLy96OEOFzVlHUv96D
Threatray 368 similar samples on MalwareBazaar
TLSH 6BA4F101B2D5C072D0510DB44821C3BA6936FCBA9B3896CB7B947FAA5E257E18B37353
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla FTP exfil server:
ftp.austrianhaus.com:21

AgentTesla FTP exfil user name:
wx@austrianhaus.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5d7e6884e2e410265c71fc06c62a10d0.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:39:20 UTC
Tags:
trojan rat agenttesla
Link:
https://app.any.run/tasks/232a44e0-c7ee-4a72-860f-b48e4f91b57c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/129203/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.31181.1167.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/659962
Signature
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c/
Threat name:
Win32.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-31 07:32:07 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yo6slnsgxkns4ensawcaplvjmddrcnlbmqdryqxvff3lhwulsega._file
Verdict:
malicious
Similar samples:
296828d37dd5732fa8bc85dd59c8032bdcbbf5aff62399ae72cabdd1989c475b
AgentTesla
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
AgentTesla
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
AgentTesla
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
AgentTesla
76386b4c6c46b36b26d9ce00df7982d461bcd1a7586dde62cd831349d0aa3a4b
AgentTesla
8ab0599e3f141523358e5b60ef3cd9a2fb1fdbde52cb693e675a9004a25ff007
AgentTesla
abf61356eb007bc0eb51c4208af46dd2ed3d8d94c10dffa7ff5a5c0a4a802a74
AgentTesla
b86212f123c131db6d159559b4f9df3348946697ec8e2978121b925014619e5d
AgentTesla
bbf12a366bfa192a4b899db478824f887280a4b5410abbe1bdea5ce82130f9fb
AgentTesla
d217032899487162688fa6c3855e13040b074de38d9c57c91b47c1190842edc2
AgentTesla
+ 358 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210331-amr4h6641x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
15961db064ea3016a241102d3436d6b3fcdaa6420eccd89b127ed93ca94a387e
MD5 hash:
31c55efc0f92945caa8f28304a7eee2c
SHA1 hash:
ded7cc31c86f3bb3495aebe4069cd3f2547cf60c
Link:
https://www.unpac.me/results/f63b86ba-83ce-4a2d-b477-46e5732373ac/
SH256 hash:
ad0c1b49bed1db0c7115c9711116bd8779c5967ae66a72512bc8ba8bd08e3e1a
MD5 hash:
79e311262ed12914eb563b8f65390936
SHA1 hash:
5838643357083d408d5bb98ec72f339af71563c9
Link:
https://www.unpac.me/results/f63b86ba-83ce-4a2d-b477-46e5732373ac/
SH256 hash:
f257163102c2281066e63ab18d11c14e4941da1c33b3bd5c41f969e21d18f9a5
MD5 hash:
a3b4a45222f7b3f03cac2217b1fae410
SHA1 hash:
54e29e4caa37205f7e163cea4ee39ad46aaeb56e
Link:
https://www.unpac.me/results/f63b86ba-83ce-4a2d-b477-46e5732373ac/
SH256 hash:
c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c
MD5 hash:
5d7e6884e2e410265c71fc06c62a10d0
SHA1 hash:
8d41d3eeeb9108327da8cd9e235430577380e751
Link:
https://www.unpac.me/results/f63b86ba-83ce-4a2d-b477-46e5732373ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c3bd25b646ba9b2e11b2058407aea960c711356164071c42f52976b3da8b910c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1075484/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/129203/

Comments