MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83
SHA3-384 hash:	3ed73825d00b6fbcc8e2e9af7145c6020388c9c6cd36f6d88d06b0945611f40708598dfebb924095b313ea7f21d29115
SHA1 hash:	f495916b81e0b14bf6392c2531d91450ddd3bd40
MD5 hash:	de613f46aec20a6ad14b85cc95e1f57d
humanhash:	golf-angel-green-nuts
File name:	RFQ MR - CONTG. 0992-19-PD KAHRAMAA.exe
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	682'496 bytes
First seen:	2023-12-19 14:17:54 UTC
Last seen:	2023-12-19 16:16:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:LSL10OEiu1jp5djtXDhl1wFC1hCkXDEK3R:nbtp5dFfuFC1hCkoE
Threatray	13 similar samples on MalwareBazaar
TLSH	T19AE48B4C75B47645F1AABEB3572A1058C7BAAC17A1EBD1084D81F1FAB5317400BA3ECE
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

---

File Origin

# of uploads :

3

# of downloads :

309

Origin country :

DE

Vendor Threat Intelligence

CAPE Sandbox AgentTesla

Detection:

AgentTesla

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/468501/

ClamAV Detected

Detection(s):

Sanesecurity.Rogue.0hr.20231219-0835.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6581a61eb4e856b7281fd70d/reports/4697ee72-7ce7-4c3d-b39d-bc8efc2f8a03/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Agent Tesla

Malware family:

Agent Tesla

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/435adf9b-7167-4870-a36b-0931a35f1b69

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1364556

Signature

.NET source code contains process injector

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83/

ReversingLabs TitaniumCloud Win32.Spyware.Negasteal

Threat name:

Win32.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-19 11:37:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

5

AV detection:

15 of 23 (65.22%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3qtwaho5xlkgaoedva3kz3dzdftlh2msn7nqsrojlne2tfl6xkbq._file

Threatray malicious

Verdict:

malicious

Similar samples:

0a83d0d2312389ef06b761afdbbc213888ebba51bcd41ef53d532485e1bc0600

AgentTesla

13e767854d12c3a62a83c90839d9b3041fcca033c06ae1452de9704886e4948b

AgentTesla

3dc6359da570fe22bb978572f80c64c540f1d3f68db732953ce8aec2586a6d36

AgentTesla

8acf98103ca250e8dd4d0e507e87c51085de89a0faf2955fbc419d9354b3793a

AgentTesla

c5826042658d501255acd496977f729007d863eda73bb7f8cda74cf009d79bd0

AgentTesla

cccc4690ace16e44f44473c2df179b5b17e27f863b33abda126199014cb224d8

AgentTesla

+ 3 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/231219-rl9mysfee6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

AgentTesla

UnpacMe 2

Unpacked files

SH256 hash:

c5445ed60d86cca92cefe053118748bedf996fa8a379a147d73a2fd5e9a03342

MD5 hash:

8cb6e6bbba0b3f728e8c1cbef93bb63e

SHA1 hash:

0ee674f5e3b44cbbbf561a09b48bd803bff84e7a

Link:

https://www.unpac.me/results/db5f97ce-491b-4e95-8eed-d0156840ccf4/

SH256 hash:

dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83

MD5 hash:

de613f46aec20a6ad14b85cc95e1f57d

SHA1 hash:

f495916b81e0b14bf6392c2531d91450ddd3bd40

Link:

https://www.unpac.me/results/db5f97ce-491b-4e95-8eed-d0156840ccf4/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dc27601dddba/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe dc27601dddbad4603883a836acec791966b3e9926fdb0945c95b49a9957eba83

(this sample)

  

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/468501/