MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a70ab4bd1b993dda983bbaf6598fd015d696c2de7f4551b62dde8afa1f17dec7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a70ab4bd1b993dda983bbaf6598fd015d696c2de7f4551b62dde8afa1f17dec7
SHA3-384 hash: 576b8fbdf6964018bc7df9d4ea274f6d73a4d745d1da5a195a951e63b66fe8dff2ad736f3843eddac1112d3b148f39d7
SHA1 hash: 95179dd1caab16c91ec6895cfab643791a46b825
MD5 hash: aee30fa2ad4a3e4704e79b9e5b10257f
humanhash: september-yankee-maine-montana
File name:05-25-20 swiftcopy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:436'736 bytes
First seen:2020-05-25 09:16:43 UTC
Last seen:2020-05-25 10:16:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qZhdP2Yl5KVdGYiLhGoqGf/FVnGteGNJ:YN0VI1qe
Threatray 10'582 similar samples on MalwareBazaar
TLSH 2D94128132AC2B7EE07F47F94871514053B634772E12E78DDEC660EA49B6F814D22B97
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: oiigroup.com
Sending IP: 216.170.112.205
From: Ali Shehab <info@oiigroup.com>
Reply-To: tphels@secretary.net
Subject: 05-25-2020 Swiftcopy
Attachment: 05-25-20 swiftcopy.zip (contains "05-25-20 swiftcopy.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.299.31358.2895.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 09:46:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
098081d46fdcd470aec4d1e75d2adeb27af1e7cb8c4930ce21e3b1ea781a8df2
AgentTesla
1c8fe3e075feed316c0015bb98b9ff39595937fbb83ab917da54bf03ec13d701
AgentTesla
2bed88b1a0b859e4f56ee1f41117f1be645cb078c4e468351e06cf8ea9f4ec2f
AgentTesla
35d7bfaf15b4c37dd98a3906fa758f760208f1d61424a29aaf9db44d43d87979
AgentTesla
38525021970c707fe513c2589e60dbd8ee2d052e1f4700837a5b132b28baaa33
AgentTesla
4664b88274ef7c903d7eb7c18ab51ba8109640210334f648d696afcecf935ddd
AgentTesla
9daa42a9c9f129a3f0bb45e5de2b76b573d951237a637ba1a509a1ef0f9ff46a
AgentTesla
bcb7da4d62467320eadecfe6d6157941a2b73d24a22925465bacf3c434aae525
AgentTesla
c3dc317b25bce9e92fa7db833698fa5ff50ef74f65abbd5e57238cd95b12b01e
AgentTesla
c4a9097951e01edfca31802d6bbcca0de694a3d146f9f777434543aeb0a16f07
AgentTesla
+ 10'572 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-9sm8a8ea16/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 071f984c757a2ccc1d19a19edd3085973a330db8caab3053dfd0e8b03646e13e

AgentTesla

Executable exe a70ab4bd1b993dda983bbaf6598fd015d696c2de7f4551b62dde8afa1f17dec7

(this sample)

  
Dropped by
MD5 a518b78d5436452219f34373cdcccec1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 071f984c757a2ccc1d19a19edd3085973a330db8caab3053dfd0e8b03646e13e

Comments