MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45a5f7786e3c2bcf5ffc0c4cc16e4a0d534624cc096bfd1bec6054cad0d6ae92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45a5f7786e3c2bcf5ffc0c4cc16e4a0d534624cc096bfd1bec6054cad0d6ae92
SHA3-384 hash: 9a486d8d7aa64aa5ee5b1f342a4592ca0e963ffe46ce3f2b987fc2281093dcc8bd49912c5396d881e406f9b609abeafb
SHA1 hash: f6e9c46cd4c4f9166ace9c2f04a61bd0dad58ac8
MD5 hash: 4d6dc2778ab1f2bb454a090be1da2220
humanhash: tango-asparagus-lima-cola
File name:Swift Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'669'632 bytes
First seen:2020-06-05 13:50:52 UTC
Last seen:2020-06-05 14:50:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:ttb20pkaCqT5TBWgNQ7aOoYXBbdbdURWu6yK9R1Oacue3fwY7bX16A:eVg5tQ7aOoYxbdbqWf7qwOF5
Threatray 10'744 similar samples on MalwareBazaar
TLSH 5375DF13239F8265CF7E51737A15B7016EBBFC2406A0B4FB2F94D93CA9201215E4A66F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: del.cpworldindia.com
Sending IP: 185.234.219.101
From: UMESH CHAND <fcl.doc@del.cpworldindia.com>
Subject: TT Swift Copy - Application - Outstanding Payment
Attachment: Swift Copy.zip (contains "Swift Copy.exe")

AgentTesla SMTP exfil server:
mail.13texworkbd.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6717/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-05 13:52:09 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iws7o6dohqv46x74brgmc3skbvjumjgmbfv72g7mmbkmvugwv2ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03705e80544a6e5a57ee2dd76695385f3ad3c889ccfac6ee3894fcb1d4cd8892
AgentTesla
06fa29bfe88ec7adf47798e9ec98077ae0388e63a1b70f9ec19ca265f93e2e71
AgentTesla
10c418adf1fc625bede0ca0fdb71bafbba3570e99e96f44f362b82ac34b78626
AgentTesla
183919b502e2e5f18730c75d890bfb9876a19f25372f8db41e1a7f7876ffbeaa
AgentTesla
6f58ff44458ca64c64b84ba9ff75da4667933894ef3fc4f8c0fd7a6f76d76d09
AgentTesla
77761e8530f70e653145a4736b03cc88abe3be089fbc2fec3eb294f4dc952377
AgentTesla
8efa5e8db185fb62c1a2156d79988c47d240abf1099e10cefc16a2d3956cb49c
AgentTesla
9ace6106dd578568556048e4ae2d295a6c55098ee3e61a691ac4873c1ea61aa0
AgentTesla
b99ab6571c625004df68a09401b8aa87d6e3c7b86195b6a1be7f15bf48a01f24
AgentTesla
bff0771ae9dbc7078a6afdb9fd366c5f3464606897e2710f09240981fa57ff9f
AgentTesla
+ 10'734 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-38hfj2xeha/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 9e5860dc4e129e5ff632edea75e8c86cf2e3ef0d503971340f79b38f0064bc23

AgentTesla

Executable exe 45a5f7786e3c2bcf5ffc0c4cc16e4a0d534624cc096bfd1bec6054cad0d6ae92

(this sample)

  
Dropped by
MD5 8dbe6e6143583844e07d3a150a18a8e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9e5860dc4e129e5ff632edea75e8c86cf2e3ef0d503971340f79b38f0064bc23
Cape
Cape
https://www.capesandbox.com/analysis/6717/

Comments