MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21813f583f972f9c4e699983357c38a32f9a42821db9dad54affd80aefd89967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21813f583f972f9c4e699983357c38a32f9a42821db9dad54affd80aefd89967
SHA3-384 hash: 447f08ba2301a5f807f3360209045e3129679c19c41cab5f77ed33276858a0f6aa6fb0f423c262e31665dada42f55cce
SHA1 hash: 93198c560bf0d1e0dce99b217dcc6a81010e8fc7
MD5 hash: 97e7ca461960d2c6592034c5631eef60
humanhash: tennis-violet-thirteen-pennsylvania
File name:2 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:335'360 bytes
First seen:2020-07-13 11:43:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:4xYy+RpDW7OlsB060FRmVH40OaXPsPO7/ZzjUij3857d0Ngi:MWs7+sB060FRcH3yWdIijKugi
Threatray 10'776 similar samples on MalwareBazaar
TLSH FA64122556CE0F39CE326F3C3D6A4F08D6BAA3A54612F14DC32939D989573686C213B3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: lasfragancias.com
Sending IP: 200.110.77.218
From: vakifleasing <asistenteconsul@lasfragancias.com>
Subject: AW: Swift doc
Attachment: 2 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.z (contains "2 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe")

AgentTesla FTP exfil server:
ftp.universalinks.net:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25265/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44602.13272.25011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching a service
Creating a file
Launching the process to change network settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/21813f583f972f9c4e699983357c38a32f9a42821db9dad54affd80aefd89967/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 07:39:59 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=egat6wb7s4xzyttjtgbtk7byumxzuqucdw45vvkk77mav36ytftq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
086131bf031aeeb372e3cdd11208f308854b5fc52e68186f738be9cddd01c032
AgentTesla
155065582ffa38e73b116c0d434fbcc4a5a3a1c860e018d0b921301be4187edc
AgentTesla
3e4c4376c736f74bf5ad2b4854f8e28816e1519c86881e3dc7086506cc7950c2
AgentTesla
660af8530b0a29c5aedf924f8214e3a24a87642c1a2fba42c92053caf708e23e
AgentTesla
6e5534bae3f5c22467266cc1921253fded33437267b0f8b469bb17282c52a4f2
AgentTesla
8edc4216ba1586e0b15115817e474900c19e0384f34f9183444d6b83f4bb7682
AgentTesla
c8f33116c7687f9356ff635c3aeda9244900cdcca560792079389d838940c25a
AgentTesla
d68fd5dc4b913479f183b0577cb42d4e9c7a38458d5301336e3a0ac4639ea29e
AgentTesla
dab4f3595b805cc1d2e40f0b625a553cfc6c95db176df4f0673c42f8f02e4cd7
AgentTesla
e726b85425a9c7ac3b74d7bb4b7d86079e66f22d27a4ecda2b002b2b7e1db7d7
AgentTesla
+ 10'766 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200713-1x49pzm8fn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 0dca3adeb716fd57a40088631f94f0102385a36575e62f9eee43128d08ef2663

AgentTesla

Executable exe 21813f583f972f9c4e699983357c38a32f9a42821db9dad54affd80aefd89967

(this sample)

  
Dropped by
MD5 e1f799fae19600f77d55eddf20f39a42
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25265/
  
Dropped by
SHA256 0dca3adeb716fd57a40088631f94f0102385a36575e62f9eee43128d08ef2663

Comments