MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a830eb4e3375ea016ec9c1298bff8330cd2d3737d33cdf2a63f2896e05420d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a830eb4e3375ea016ec9c1298bff8330cd2d3737d33cdf2a63f2896e05420d89
SHA3-384 hash: 4890bb3586817fc8059fff7e34a12ca46c83b81974144a6a482643e0981c7c602086bf24b7e6c82800d186b6346bcb05
SHA1 hash: bba5ae3fa386db6f9212a95796a3984e40180edc
MD5 hash: b1a02f5d654bc27530349974d21b29f7
humanhash: mockingbird-mexico-wyoming-quebec
File name:Payment swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:714'240 bytes
First seen:2020-07-01 16:47:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 86cb21fe3fc32c3cf920f8a12457a1ce (12 x AgentTesla, 11 x Loki, 4 x FormBook)
ssdeep 12288:9kjUKvv3jOGU6mLXDvJiw7s2jAXuk7UC76PW+WDIsR+ZjAziHem6q:mwKvrOl6m/0mfA+65/+WDIsRiAzi+mn
Threatray 11'365 similar samples on MalwareBazaar
TLSH C5E4AFF2A2B04433D1631A784C1B527C683BBE13392569761BEBF90CDF39791346A297
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.ihszimbra24.com
Sending IP: 94.138.192.219
From: muhasebe <carihesaplar@etkitex.com>
Subject: Bank transfer swift copy
Attachment: Payment swift copy.uu (contains "Payment swift copy.exe")

AgentTesla SMTP exfil server:
mail.yaprakmoda.com:587

AgentTesla SMTP exfil email address:
musteritemsilcisi@yaprakmoda.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17717/
Detection(s):
Win.Malware.Fareit-6863179-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a830eb4e3375ea016ec9c1298bff8330cd2d3737d33cdf2a63f2896e05420d89/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 12:46:55 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vayowtrtoxvac3wjyeuyx74dgdgs2nzx2m6n6ktd6kew4bkcbweq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2522fc0ce2abffd595456b71ae2c01d8dfb4fa3597d2e0d2aba38d1ff3ee42d7
AgentTesla
290299b025d885dcb36dd2ce9babc9226c9ff942468a8a6c6ee38cf8a3c00144
AgentTesla
2a00c8f1e74ad67fbd46cb64e3af0cbe77f56f99b7b2f8856703d4a0e2bfa7da
AgentTesla
3ddfcc0ce0a57e7f3131d0ba603d6516f00c6cf94f67e79ab38a7e8f922f74bc
AgentTesla
3de5c485f705f1cdf6088142033fb366aafa369044f74cf5a01a8c3517daa831
AgentTesla
71b83f4b162ab93a8782ab6c32003196be876d98595f24634bb81d0e20394a91
AgentTesla
aa556dde1f62e5e897bf5db6980f8202febe626f2e9840190f1f2695eec3c065
AgentTesla
b3770ed7e40082d700739a98f8be9a3a338be55580942c0baddc5f03e03e5a63
AgentTesla
c6611e1d592e48c66d7bebb31aa7adf6efe3614c77a01e2fcfede2f64c097e83
AgentTesla
e23a268f1e3c63c4b2460a42e219a7237744ddaad6d9bf383977c85d9921843d
AgentTesla
+ 11'355 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200701-ta5xywv24x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 240bb80253af659c1db527120a01cf6e80eb0d828efc7f2e068344507706dc63

AgentTesla

Executable exe a830eb4e3375ea016ec9c1298bff8330cd2d3737d33cdf2a63f2896e05420d89

(this sample)

  
Dropped by
MD5 9322e027ea4943ffbfe15dd8345e41be
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 240bb80253af659c1db527120a01cf6e80eb0d828efc7f2e068344507706dc63
Cape
Cape
https://www.capesandbox.com/analysis/17717/

Comments