MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ee4015e77250f861a3c3868a074de25eddfa3e6a2dbd159be7d61ee65513aa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ee4015e77250f861a3c3868a074de25eddfa3e6a2dbd159be7d61ee65513aa0
SHA3-384 hash: 1efbf40cfcdb495e9561c9fa6483d02fa01abfd1ec154f5bbf7c1a0cdca36eeafa8401256a45b8aba7cdd2567896567d
SHA1 hash: eca2ad759629a464d34b1cdfda35272c54903548
MD5 hash: 6f7a55cb3c62cfd7decde0b32f23a8a0
humanhash: zebra-happy-massachusetts-twelve
File name:tt copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:689'152 bytes
First seen:2020-04-30 10:47:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ek0TXLzOqADmctF7IKw+/fFOjwXXLobLVwbRH3wpOdh7fL/4JanSYNiZIRc2:ez34/77NfFOjULodu2
Threatray 10'660 similar samples on MalwareBazaar
TLSH A7E47C9C369071DFD527DA72CEA42D64EA25B877630FC2076013229D9E6EA97DF001F2
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hsbc.com.hk
Sending IP: 212.32.245.155
From: HSBC Advising Service<pay_reports@hsbc.com.hk>
Subject: MT103 Swift Copy <Payment Notification>
Attachment: tt copy.arj (contains "tt copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33750972.5861.14983.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 11:55:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t3sacxtxeuhymgr4hbuka5g6exw57i7guln5cwn6pvq64zkrhkqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a44717f99e2446d315027f4cd90bfca21e77fcba2811ec556b1193de98b7d38
AgentTesla
4aeded46b92aeea959a9f7f8315dae9d9ddd3725cb6ff0a01df1820e11ebd2a2
AgentTesla
4f3a1dd374f609e7dd16e27c282c971122e9d8afbb58068a642925ed5a5065ac
AgentTesla
4faa4683bd7134b0823bd0f04f894136bab28fb33f6163f803d08b6dd80a36c2
AgentTesla
733b9a08b05ec70c7ac0d28dd9b9e832c85e668342fffe880e0e2ab5222de082
AgentTesla
810605dffb3d645792b4f2a129faf9aa5746ec2de53cfb4d558dfbeb92531e21
AgentTesla
9542111aea614cb0c9eef7850e6778a5e3d99ad6b0c92015985950a3ee4edda8
AgentTesla
d930c880917f472dd6fc67403a55fd3097f40d48cefced7b6e76a4c464882ff2
AgentTesla
e5faf857326e895e7c9fb3da1c33c8fc0c68c0f045d5aaed1a55b2a75436a9cc
AgentTesla
ffaecfe0e94157f82c2c6b162c2e97c081d2d6c7d64bab85cea7ec9684dde8c5
AgentTesla
+ 10'650 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 062dce098567d8a0b6ff5445b6c35da0b48efff4a98934aec47bcb6d35c49da1

AgentTesla

Executable exe 9ee4015e77250f861a3c3868a074de25eddfa3e6a2dbd159be7d61ee65513aa0

(this sample)

  
Dropped by
MD5 ee878c20338ef1732dc8dbe1b671d010
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 062dce098567d8a0b6ff5445b6c35da0b48efff4a98934aec47bcb6d35c49da1

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments