MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 359202073aae173560c88009c27966e8f6a4bb3b05c48811f35dcf27b13ff0a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 359202073aae173560c88009c27966e8f6a4bb3b05c48811f35dcf27b13ff0a0
SHA3-384 hash: 49be01eb073cae2e952c20ac8c767235a47d980d26fa61bfe740b4c3b838bf2504e34b5d7f3b80d7d086c1f2303c9576
SHA1 hash: 3e233dcdac6f00af3594b3aa04a3f2c2ae9cfa78
MD5 hash: ba3efad462a67b64b57a07f73ab18c4b
humanhash: berlin-berlin-mike-neptune
File name:Swift copyUSD47000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:454'656 bytes
First seen:2020-07-07 10:24:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 04726b68348c0c3cf827797a9f6695eb (10 x AgentTesla, 1 x Loki, 1 x 404Keylogger)
ssdeep 12288:L4p4rqo6AW98JN3MS57jlX68BsGLXw64MU+t2E9bEuG9eP:LBm8mFS57jlXSGLXw+U+t2Y+S
Threatray 11'489 similar samples on MalwareBazaar
TLSH 47A41292EB854135D91C2C77491328D41714E082396E3BA327C2CC9DBE3969B6FA771B
Reporter abuse_ch
Tags:AgentTesla Endurance exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: Ashif C.K – Accounts department <info@npfqqtar.com>
Subject: 50% deposit payment transfer
Attachment: Swift copyUSD47000.xz (contains "Swift copyUSD47000.exe")

AgentTesla SMTP exfil server:
mail.bulletlogistics.in:26

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22233/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/359202073aae173560c88009c27966e8f6a4bb3b05c48811f35dcf27b13ff0a0/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 10:26:04 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gwjaebz2vyltkygiqae4e6lg5d3kjoz3axciqeptlxhspmj76cqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
21d19ba98de8b710605e144809cae73bc3b7606cfc49e995a267cf44e4c2638f
AgentTesla
34de2d8223254d922454a9c4753613882e2bc5f55a706690715270f9f052b16e
AgentTesla
401f2d59dc8b376b47e434be85e867e872695eb6896599f0f66f75ca16b3b349
AgentTesla
62005a4721dc55f0752df55ca79bd85ccb46ba28a34d10d8f29880e087b69896
AgentTesla
9356f38f03d8b08b94502798482bcc96fa4a5f47f6f67c5bff879d1ec13480d8
AgentTesla
9a99082664fba770485b23172f61bdd349863e9803d7a01170e1839026c6a0fb
AgentTesla
ade9d8f9e1be69ac1a9c09ffe63d32028942eb72a51bc535d03729f0e5fa4135
AgentTesla
c559cd7a8333257a6e64a672d4f0feaecb3805c68498e170766428231bd40aea
AgentTesla
d79b76944fafb851773e0ece31696056e79030cb2e61d9d9c78144d4b5a60d5b
AgentTesla
dbb1903e42379efd23198fa3464b174687a24588816f470802304fec3ebc3805
AgentTesla
+ 11'479 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-2jmt81rjz6/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9e8fb3f0e4794e19a13b5dabf8558550

AgentTesla

Executable exe 359202073aae173560c88009c27966e8f6a4bb3b05c48811f35dcf27b13ff0a0

(this sample)

  
Dropped by
MD5 9e8fb3f0e4794e19a13b5dabf8558550
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22233/

Comments