MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6407a885f99633b2f5559e9f04b001a859367468dd7e761fb28d527995f3112d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	6407a885f99633b2f5559e9f04b001a859367468dd7e761fb28d527995f3112d
SHA3-384 hash:	1fa45b93ca6586304e8a7bbd1751904547e18671c8c23fa8d57d95d11ef9767d1b174d0436ccf8c8b71fe2de5ad11aca
SHA1 hash:	e558ce35045d142f88758c161f7c4a6a70b9e5a0
MD5 hash:	df474cae010ab858b7d078d8e9ebd6e0
humanhash:	nuts-romeo-river-foxtrot
File name:	Swift Transfer Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	822'784 bytes
First seen:	2020-04-27 23:04:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0318ec2c3e20540fe0ccf697fa352b5b (4 x FormBook, 2 x Loki, 2 x AgentTesla)
ssdeep	12288:cMwW5CcA25doqMiR3jfdKWVGKiwqd+ecWOhVl29b0eeauoVUMhyLp4swx6:i8C2xVrdVMpn+ePDBeauK3sK6
Threatray	11'628 similar samples on MalwareBazaar
TLSH	E605C036F2D14837D1732A789D5B53A4A83ABE103F2998462BF43D4C5F397913A39287
Reporter	c_APT_ure
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.LokiBot-7699946-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.GenKryptik.EIOO.20590.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-27 09:16:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mqd2rbpzsyz3f5kvt2pqjmabvbmtm5di3v7hmh5srvjhtfptcewq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

40e9b18a9ae56099292d10bd537b24db851b03b38a54028f5460b1433f4aa627

AgentTesla

42d3c435ddae05ed1919a53a8e2ad1b2ae86a50c71916aa995de30519a43e2f1

AgentTesla

47dc93d9f50e610072c38ed05d454b31b9a4d9c31f2abc75840dea36ec4ef374

AgentTesla

7dd1ac7e7f7f3a85ebdcf6337b4f83dee2e6421ee4373e6328c08d8a0854ae9a

AgentTesla

d8bc30268551dbd155b8117bf3be1c869fc9945508801f658583e8f4ec46187c

AgentTesla

dd4612720dc675595ea7b77ccfb956890feb5e02e076826d249b0afd0ca7ce1b

AgentTesla

e3e778591453a54d2cbd3ab1bb4ecb69ed94222f248aac24a95fb951fc6101f0

AgentTesla

ef14e580eca50b75acae60fa7c6642fa89fc91ee8492f5193608937f4d78781b

AgentTesla

f3141eb0d06d4ddce695865bbd38b6d1c9fa564d3ab4a9f1a5d1c0bb9c9931cc

AgentTesla

+ 11'618 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA shell32.dll::ShellExecuteA shell32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample