MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75c29457b31b7fe65d41954b49ab9a57120fe096d923332237e8dd5a43e70164. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75c29457b31b7fe65d41954b49ab9a57120fe096d923332237e8dd5a43e70164
SHA3-384 hash: 32bfab28f2ddf6f3cec9fea4f9fcfd9ad2acd86d92d92fc9164fdc3e6a545346715b2a594001d388c652e27e854a9693
SHA1 hash: 2c4f2e14d341d08ccb1e463398eca58d4a099c6d
MD5 hash: 4c657846ed40a1667371a91c1d687738
humanhash: finch-victor-magnesium-network
File name:swift_copy3454.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:645'120 bytes
First seen:2020-07-22 07:10:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0XrG49GVSI92iNou8Bku4sKH7PWViSXT/XIu0rq5m7ZDF2peQw4C53MZ:aGVh91ymubEbK0WKb2peT4i38
Threatray 10'632 similar samples on MalwareBazaar
TLSH 81D4F020EBB407DAD7A54775E072114093BA662E67EAE30D2FA5F4DC1932B418713F2B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtpcmd01-s.aruba.it
Sending IP: 62.149.158.221
From: finance@wanderjoyparties.com
Subject: Swift Copy-3454
Attachment: swift_copy3454.zip (contains "swift_copy3454.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30837/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.14107.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394533
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75c29457b31b7fe65d41954b49ab9a57120fe096d923332237e8dd5a43e70164/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 07:12:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oxbjiv5tdn76mxkbsvfutk42k4ja7yew3ertgirx5dovuq7hafsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02e52123ac380ed5e3b0b8ce9322680b8e1d8082c9f181588cc7213cd701d69d
AgentTesla
052bcc60e46315357188930ba35adce006f4e223a50c862db9795998d96faa30
AgentTesla
112fe86589f5587620a62be8ebeab2ee9898f770762f7be2b92a229c46d52917
AgentTesla
259c12edc3bf5e4b46369016b698b8681003919e9756d38d11bf9495c1528bc2
AgentTesla
5f8d0e5d206e5b37c552b79782a6777edf6e7a9a1c1db8ce324055baba187f4b
AgentTesla
6ac8760908f2570c325974687806483fc02913c23a476a575362030f3926e2e5
AgentTesla
759b4c280e580dd550ae1da28bb6a2fe7c2a53b3b4a9108d7328e0979ef7c84a
AgentTesla
8b54843b4acb823d224d090a1c2246860d643318959d95fa342b588fcba6a0c4
AgentTesla
b3d04742660b365ffc6efa0e36d71fbd45f61a252f55423ce2edd7d54d90a023
AgentTesla
cf1390576f600dd52c89ddbbec49142b26638748b5fb696c3c2ac4583ab68b75
AgentTesla
+ 10'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla evasion
Link:
https://tria.ge/reports/200722-13kgvtvfej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Maps connected drives based on registry
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75c29457b31b7fe65d41954b49ab9a57120fe096d923332237e8dd5a43e70164

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7ce5a8071d7c45dc7572fa4d7334d4d4bca1141adca67e3ce2418ffb66f03d44

AgentTesla

Executable exe 75c29457b31b7fe65d41954b49ab9a57120fe096d923332237e8dd5a43e70164

(this sample)

  
Dropped by
MD5 5ef67ee2f2c6b90f6e6e6b65d2dfd2b4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30837/
  
Dropped by
SHA256 7ce5a8071d7c45dc7572fa4d7334d4d4bca1141adca67e3ce2418ffb66f03d44

Comments