MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e36461da17ccdda3c8ff310b8b595288f1b8621a832d0da702161cf128ba2e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	8e36461da17ccdda3c8ff310b8b595288f1b8621a832d0da702161cf128ba2e1
SHA3-384 hash:	e973e53bb77b2fffa7baea18ce8f683ddef60d7282a265074659bd0317338a848d58387980a06817762215b61a8b5709
SHA1 hash:	7d5afa67beae25b5a6c0029b0b8ed28ba18d4b78
MD5 hash:	0d9b18ba6019a9be523591205af8041b
humanhash:	cold-timing-oklahoma-charlie
File name:	Swift Copy_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	685'568 bytes
First seen:	2020-07-08 07:21:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	36f0bfec2a95b5dc1ce402e9a6332e04 (6 x AgentTesla, 3 x Loki, 1 x RemcosRAT)
ssdeep	12288:AWvaSpf0bmv5rtvP9Tard2qnNERo+45ld6Q64xWrRc3HhBx:DPpvVa8qNlr6MxWrm33x
Threatray	11'030 similar samples on MalwareBazaar
TLSH	40E4BF22F6F04433D16326799C1B5378A836BE103E2859962BF5DD4C6F397813B6B293
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: bizcloud-lockansd.club
Sending IP: 161.35.157.97
From: Linda<fullcoin@ms25.hinet.net >
Subject: Fw: Re: Re: Re: Re: Re: Re: Re: Payment invoice document1
Attachment: Swift Copy_pdf.gz (contains "Swift Copy_pdf.exe")

AgentTesla SMTP exfil server:
caixaonlineservices.online:587

AgentTesla SMTP exfil email address:
blizzy@caixaonlineservices.online

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/22937/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.PWS.Stealer.28790.21517.21083.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Creating a file in the %temp% subdirectories

Reading critical registry keys

Launching a service

Creating a file

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8e36461da17ccdda3c8ff310b8b595288f1b8621a832d0da702161cf128ba2e1/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-03 14:03:59 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ry3emhnbptg5upep6milrnmvfchrxbrbvaznbwtqefq46eululqq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

2360b89fa9459eeeb583d67f26ba7973751feaf3868b636dd176b1e891f47a49

AgentTesla

597ba10cc7ef72e08723d7590211ea1224f87ff781b93dcc6bda9cd33105d505

AgentTesla

6c198cde01215ddc3644821cac16edead4b41dcb19f2ea0639e57b27347b8b78

AgentTesla

92c9a6913693ae356cfb046830f7975cb3de7cfd78c76079190e6306512b6c16

AgentTesla

97bb08ab5ab612641d3744f726c9369b7cd5ddeaf4b6ddaab9ee8f3d2ee66013

AgentTesla

a27b2d452f7d788bf0eda5ada653de0b51246ee24485e541073080fdd4599b6b

AgentTesla

a62a90789d488d851050ad121400c40bdcbad55ff7acedca829edff301b0342d

AgentTesla

c8b44f5df884548cc3bcaf4a3e48cb98af05133476ceb66770934a40af17ce6a

AgentTesla

e939e5ac72af54c976d32967a56e22c82b4c46fc5693ebf04ccdbbd4ccdc3470

AgentTesla

+ 11'020 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200708-y7mxfdr4ga/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Adds Run entry to start application

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

070c4a2968aecf6edc89f8c338336ff0

AgentTesla

exe 8e36461da17ccdda3c8ff310b8b595288f1b8621a832d0da702161cf128ba2e1

(this sample)

Dropped by

MD5 070c4a2968aecf6edc89f8c338336ff0

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/22937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample