MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17c62b06256ad03ddbc9653792ddd44c03e6ee89adece421e74c262c40743c54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17c62b06256ad03ddbc9653792ddd44c03e6ee89adece421e74c262c40743c54
SHA3-384 hash: 123e711ccddf7e277f6cc90cc03c540551e04117b575e25031aefd686750b632108632ec9d96bee24d7b7d00ac2c7b16
SHA1 hash: 52bc9b244bf265abffc62358b53c5b72a6b4bb46
MD5 hash: 9648bc459061f293c0dcf25470c4544f
humanhash: hot-nebraska-apart-yellow
File name:SWIFT-47500 EUR-16072020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:708'608 bytes
First seen:2020-07-16 06:47:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:fbO2CS28qtmuFD7mtecBph3i7/GKUe76vefiAwdhaxNAEKcTGb6yl4/qX7o76VQh:fi2CSVq2tec/hyzJ6vBzqBHyl4Cr
Threatray 10'775 similar samples on MalwareBazaar
TLSH B7E44B3936C16404D93D097688F469E372B175873B62CB0FA8CA176C6F537DB3B0629A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.wazit.it
Sending IP: 46.28.2.41
From: Hamlet Wagner <milena.stijakovic@delfi.rs>
Subject: Fw: SWIFT
Attachment: SWIFT-47500 EUR-16072020.IMG (contains "SWIFT-47500 EUR-16072020.exe")

AgentTesla SMTP exfil server:
mail.baslog.rs:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26392/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.368.26529.13946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Moving of the original file
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17c62b06256ad03ddbc9653792ddd44c03e6ee89adece421e74c262c40743c54/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 01:15:54 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7dcwbrfnlid3w6jmu3zfxoujqb6n3ujvxwoiiphjqtcyqduhrka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6093b0ef8a611c4be1ce3aed1ff0611027ecade6b61e74e5ba8708b061d20c40
AgentTesla
60afa1cecab16463b02d42aaf93a28345874073c3abd26970539a0094829f8d1
AgentTesla
71129ed66ff17356ade65197b3b871fc7d5d0de5040bfcaea7bebd2f16e2a9d7
AgentTesla
95f7e4ba924a6071d7a3140c76619b0db386d4e5c8df36e93a29164c286f4547
AgentTesla
bab9a6f06c198be12246666b1763fe38ef22795f44ee6aadb141adb5377cb1ec
AgentTesla
bb6af15e47e6514cf1bd873c88a71c4e6c91a1920e7b3badedcac30fa5e93f9c
AgentTesla
c916367a402cc2cbb3506568aa7863a846fe6c2a5cef56599b164e2d829628aa
AgentTesla
de006c9526937934142c1f991be7b89fe9d9fd6c080bc340e8fc542e850fd4f4
AgentTesla
eeeac74213c352afda53fd84a4a6cc2e200613a49f02c9b0f0a1fcd4ab0a06cb
AgentTesla
f7ca5b06b736c007b2dfea70bcb1cba8d3b243bc040813e367b13b927d44cbfc
AgentTesla
+ 10'765 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200716-71xmvf8pan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img ac29f91ad233eaa2cf4b89bf703c70cbefb3e29446de8856fc6d30c3e5e18fc0

AgentTesla

Executable exe 17c62b06256ad03ddbc9653792ddd44c03e6ee89adece421e74c262c40743c54

(this sample)

  
Dropped by
MD5 790a95d86b618f54a38c888df21e88b6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26392/
  
Dropped by
SHA256 ac29f91ad233eaa2cf4b89bf703c70cbefb3e29446de8856fc6d30c3e5e18fc0

Comments