MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67b4164b9bf142ed80ed782d6af715dd7b48b2f058dd3aed96e0c737accde253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	67b4164b9bf142ed80ed782d6af715dd7b48b2f058dd3aed96e0c737accde253
SHA3-384 hash:	c694718186247b8b974c37be816732341007fc29222685983076642827d9bd39d31e95cf183c047cd18e045ced0b5c9c
SHA1 hash:	adda2b0be6b0ac561ac07794c3ee86a8fc98a45e
MD5 hash:	40fefafb8a5b111adc6e4342c67e0edf
humanhash:	football-july-cat-green
File name:	Swift.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	523'264 bytes
First seen:	2020-07-01 11:47:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:07xuSiUkdQUvAjXAYAabyAI4AeLa8xThl+u2fusHQS13LgyytxUP89viFRheLRmR:xNuswS1b1yvaRD8t6gUyvjQlsu
Threatray	10'716 similar samples on MalwareBazaar
TLSH	00B49DC0B6BA4B96E7B257FB1A62484087FAB93E653DD3590E8270CB94A1F404F51F13
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.chenklins.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/18239/

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/67b4164b9bf142ed80ed782d6af715dd7b48b2f058dd3aed96e0c737accde253/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-01 11:49:04 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m62bms436fbo3ahnpawwv5yv3v5urmxqldotv3mw4ddtplgn4jjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

249470e3d05c5ccf6bc0e844bbaa8aaad1cfa94ba499cb60900a4394db427c2b

AgentTesla

2ed26d1a5adb1a2c4dacffd689af6926628bbb54cfe2a7a770a2200abfbce61b

AgentTesla

5d1cd6fbc8725d4936c441e92551aaf4b3b91710ecc7cb5094a43f9e426d6b88

AgentTesla

a7534a67287f201714e7983107df187fc9b9fee458ff257d69dd312e17f8fd6d

AgentTesla

b823ab3333cbfa29218063de8440da29fc50aa7db3e70bbc9bf586c2f1eff696

AgentTesla

cbda39c31315687590c184cd2626289865fd5abbb42295fe60741ec5135a7119

AgentTesla

e32ceedc7f3719266de8a4d1c3ddb0c2101a0e08cd7d9f9f1c867420f4d83081

AgentTesla

e91d532d8063f104ca3b861c51f95b7cd7e79010024fd713515e1c5283a8b2ad

AgentTesla

eb819cbe9bdf4896c0fa47690385024653e2d37f49b3b8f403078083421ef0a2

AgentTesla

+ 10'706 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200701-n4nh1kpea6/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18239/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample