MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a2c192ea2d0138b061f9c5bd128a0a198b773a414c297c7fa3ccf2f4e8938b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5a2c192ea2d0138b061f9c5bd128a0a198b773a414c297c7fa3ccf2f4e8938b
SHA3-384 hash: 9929a4c38aba3f96c94525ad29b49266b50ad3dafc1fe80c867a06f91ee21a37cc775c29fcaccd6d1e1dda1cb046f398
SHA1 hash: c96e719b6739bd84f9a2f28f6f6aae97b9845496
MD5 hash: d88d45f7efff849c34f4b915346fd9e6
humanhash: oxygen-seven-may-undress
File name:Payment_Swift.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:608'256 bytes
First seen:2020-06-22 11:53:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:CjTSavAzC8R9ha7VZ0UaBNNy7skydt44Ai:CXSav0R9s7sUINMItt
Threatray 10'581 similar samples on MalwareBazaar
TLSH 44D4F0407FA8470EE56A6B7E2120125E233673EA4A16D6CD08B7FDDD5D22F435288B73
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server02.hostngon.vn
Sending IP: 203.162.238.30
From: Baek Hyeon Cho <office0forward@gmail.com>
Subject: RE: Due Invoice Payment Wire Transfer Document
Attachment: Payment_Swift.rar (contains "Payment_Swift.exe")

AgentTesla SMTP exfil server:
mail.pro-powersourcing.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12575/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5a2c192ea2d0138b061f9c5bd128a0a198b773a414c297c7fa3ccf2f4e8938b/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 11:55:05 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwrmdexkfuatrmdb7hc32eukbimyw5z2ifgcs7d7upgpf5hisofq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10c24ffda3666a7002c71e331f52742fdbdf53d38d2278d5d57687af24ce2f72
AgentTesla
16323d4c8b9b81750381853fb6a76292694aba2e21a74e3bc31ca78f47da4a4e
AgentTesla
17bf4172650d0fbc833533880e7ed702fef86180f55c5a51d1f93d3c55f1577f
AgentTesla
7a6e442073f096f21d8376f4307fea2be195615bffa7246bc555581f38783da3
AgentTesla
7f547a386bca141205b0b5ce1d37c2de284b25988c8dc693ded6e10232251626
AgentTesla
8d0e6eed295f741dacf9a0a752984c696633536c47e21a2c2a1c7b95adbc35de
AgentTesla
b8816e0b814bc0528b84fe7e0e89cf5e8168b64a8028d8610510a59f3f7c2268
AgentTesla
b9f01aeeefff60dcc8f6a40f77b5d30a89e4a3e48a9b072b5177b80a9e6471f4
AgentTesla
c87d0af1b7d984327de7a8e4a46c3d8b2cbfe2c6e74d3c31e158b7d92e42226e
AgentTesla
fe089b4dda7179a6e0865e49f2ffc60f6de7457f90438504ebd72f0e6e8c1e3e
AgentTesla
+ 10'571 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla evasion
Link:
https://tria.ge/reports/200624-522e8t1v6n/
Behaviour
Modifies registry key
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fb7b1fd78723a328818b76b015489cdc

AgentTesla

Executable exe a5a2c192ea2d0138b061f9c5bd128a0a198b773a414c297c7fa3ccf2f4e8938b

(this sample)

  
Dropped by
MD5 fb7b1fd78723a328818b76b015489cdc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12575/

Comments