MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84
SHA3-384 hash:	e8a53019580489bf1954b77ee7b8b9536a7ddc0d0f9589ca495e9425de92b7d61810e6133f5aa3dcb0447c2106a53484
SHA1 hash:	00d0cc9b8346b2833938d0843ab6fec7047bd433
MD5 hash:	3c6717c101dfc91c08bd4550c746f7a6
humanhash:	november-moon-beer-bacon
File name:	Motilaloswal Outstand Reminder.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	428'032 bytes
First seen:	2021-03-09 15:55:10 UTC
Last seen:	2021-03-11 06:18:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:AegdHdJNqL13WiNEAyw68C40DcY2V8xcNosp6:gUQimnweUV8C9
Threatray	3'119 similar samples on MalwareBazaar
TLSH	F59412A133AC5B21D9FD7BFA5533500C03BCAC12E122C75D8F8A70EA1E66F418A56A57
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: host.purvainfosystems.in
Sending IP: 69.16.249.73
From: Shallet Caldeira <Shallet.caldeira@motilaloswal.com>
Subject: Outstanding Reminder.
Attachment: Motilaloswal Outstand Reminder.gz (contains "Motilaloswal Outstand Reminder.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Motilaloswal Outstand Reminder.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-09 16:51:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ebc80ed4-8b8f-48fa-bb84-199cfabd18d7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/123308/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.DLB.genEldorado.20613.29042.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/633138

Signature

Contains functionality to register a low level keyboard hook

Found malware configuration

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-09 08:30:43 UTC

AV detection:

28 of 47 (59.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3q6a3rmij4rffutdfws4ogpescabs6xj4bw5oq4kghdfxaanh6ca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

80366e346ed1e69ec074215cbe6f086ed5c294792f999c547b3b495d2055fe3a

AgentTesla

88d5ebd6d9f17f62613fffdf282345c09b8458c0bbebb4514b6bddb8faab5617

AgentTesla

de07f2d98f2c6442844522c1bcd03948f4b79ffce22a222e4e6fd3f5864153b0

AgentTesla

e49644244645c3be9ab057acc1f3f84c12a066bc570529dff3842c2c6f5d72aa

AgentTesla

e769369f1fd04a2fdb3976c69cbaaefee66cee1f54f523d7eab4712ce764f73f

AgentTesla

eb9de162cbe1af46b276cebd9141ece2b6bd02847d906e4078b2dc8ded5c2a06

AgentTesla

ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc

AgentTesla

f7af12b666ffa2eb7f5c8a4bdf258b4b47138f8fe21f7f11271581caa891918d

AgentTesla

fe8ec14d978628202295a1a81b97cfbb8952611c8542dfdd7045b9b6d207027b

AgentTesla

+ 3'109 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210309-klx8lmlw2a/

Unpacked files

SH256 hash:

a25219ad5dd91a5d5694db73031214fa9f117ed4da6f20236492e8f1813a6727

MD5 hash:

906911011bb54ca69c23fa0b8b5045de

SHA1 hash:

dd347fc8dcce3ac1f63767a717a029cdbad9dddf

Link:

https://www.unpac.me/results/be2460b8-3276-49d3-b58e-83b4b914e016/

SH256 hash:

22dc8bd52dd1a9faed1715e921eedd5e92ecf953cd30c945300c7af9b8bc8ae4

MD5 hash:

f74ade78b6f15b366b01ab4b42a2cffa

SHA1 hash:

dcc2538b0e5f59da901323cf47044a3e3d7e4aff

Link:

https://www.unpac.me/results/be2460b8-3276-49d3-b58e-83b4b914e016/

SH256 hash:

1510861928b533e1529c1ffe7c6d57d9e5e928830d0afb28fd0fa730ff83fbdc

MD5 hash:

8f85df46a482b5b068ae7667bf1a33d6

SHA1 hash:

a210d369311aa4d709dc962c634174738576907e

Link:

https://www.unpac.me/results/be2460b8-3276-49d3-b58e-83b4b914e016/

SH256 hash:

dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84

MD5 hash:

3c6717c101dfc91c08bd4550c746f7a6

SHA1 hash:

00d0cc9b8346b2833938d0843ab6fec7047bd433

Link:

https://www.unpac.me/results/be2460b8-3276-49d3-b58e-83b4b914e016/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 5fc495546a033d15a7d7a70804e1c6cec46d9de68d9e36a07fda9b6d4840b5a7

AgentTesla

exe dc3c0dc5884f2252d2632da5c719e49080197ae9e06dd7438a31c65b800d3f84

(this sample)

Dropped by

MD5 901b1b8c938b4a03ae8187088ba6eb10

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5fc495546a033d15a7d7a70804e1c6cec46d9de68d9e36a07fda9b6d4840b5a7

Cape

https://www.capesandbox.com/analysis/123308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample