MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0937c5bb829428c796c4c9a92c39f127424f034d2b3e2882a0bd32fcef53a1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0937c5bb829428c796c4c9a92c39f127424f034d2b3e2882a0bd32fcef53a1f
SHA3-384 hash: 1f4f71ce28f488aba884dd5e6992febe3081d6f96b5fccaf8a296b8ce8fe609ae720e62097e4118f85c9aec41234748e
SHA1 hash: 743781f72c1c7785f8cc29bc8d10573057010aab
MD5 hash: c279538835c238dacc142226eb52e524
humanhash: comet-carbon-november-seventeen
File name:Swift Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:631'296 bytes
First seen:2020-08-18 11:05:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:gIqf9A4aA2VpB4+C1gUJu2fgnE7xI5aaXPunnEvQBjhK:m9A4aA29C6Mfj70aaXPMCUjg
Threatray 10'436 similar samples on MalwareBazaar
TLSH EBD4F1363384DA11D2BB5336CC98514413FAB802A621EB2EFDDC225D4961BE74B637DB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: craigwood.com.hk
Sending IP: 185.222.57.238
From: kay.feng <kay.feng@craigwood.com.hk>
Subject: RE: PANAPESCA PES50526 SWIFT
Attachment: Swift Copy.gz (contains "Swift Copy.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47701/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c0937c5bb829428c796c4c9a92c39f127424f034d2b3e2882a0bd32fcef53a1f/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 11:07:05 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycjxyw5yffbiy6lmjsnjfq47cj2cj4bu2kz6fcbkbpjs7txvhipq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
054ec2f2a97d3ded97d4f25574b131e809ff1446a1c309a3c76bd4a8cf385fe6
AgentTesla
0c99bd1e390818f0e61bd03909c5f53bd9d45d470f0c368826266792a609e1d7
AgentTesla
1b891a31aa508effd78b280b17b15c26272802119470fe5d80de04967a924e53
AgentTesla
3e97661257ce0ef03a853b691e8a9f8af760c3237b72135a352570d1dfd5c959
AgentTesla
4db172a3add025bb44505c227dc6ed6fadd0ca3f47f41b46ae11b7865b481539
AgentTesla
64f8fa17e1c81734ad0dda8ad659c1360b9ae231890a4c9557ac771b99a01c78
AgentTesla
652c0bdfcb3143e7e53653a820dcf1a3528afb60a09ae7817ef20e6094d97596
AgentTesla
8e1f5e94e0e8ea6f82b75d5b21f3964b77df3810c65a875c1ddfcaef53c5e10f
AgentTesla
9f0c636096918ffd81f45e54f65d8992726cbfbef9a8d087476ab5360590d35d
AgentTesla
e192674e243cfae4c1e3e45e31084bb4bc3434a05342f6160caf2ce4b7c0ded1
AgentTesla
+ 10'426 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200818-wfgwgkc6aa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 1f2218fa3f154a978ee5f69eb54a4604ecb3c8e3f7e004cfd76beb9d697070ab

AgentTesla

Executable exe c0937c5bb829428c796c4c9a92c39f127424f034d2b3e2882a0bd32fcef53a1f

(this sample)

  
Dropped by
MD5 4eb0a6b84767bf66d67b2f9a86285af4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47701/
  
Dropped by
SHA256 1f2218fa3f154a978ee5f69eb54a4604ecb3c8e3f7e004cfd76beb9d697070ab

Comments