MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8b44f5df884548cc3bcaf4a3e48cb98af05133476ceb66770934a40af17ce6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8b44f5df884548cc3bcaf4a3e48cb98af05133476ceb66770934a40af17ce6a
SHA3-384 hash: cc629dc27ce761e543cfeee6c324384ac9ce1a32c28c7515da881c361e18e96f829e6e3c20712dd006ecfd107eec4551
SHA1 hash: 2057b1afabf366948649d8fbd7f0f0a435b7fa4a
MD5 hash: a2bae318d9be72fcbc04cda938ea413b
humanhash: skylark-salami-two-william
File name:Swift Copy_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:694'784 bytes
First seen:2020-06-29 07:49:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 59d2b94343b1beea04e5ae887d58dc9f (11 x Loki, 7 x AgentTesla, 3 x FormBook)
ssdeep 12288:yPOuvPFClYKfrf9fN30Wvza5TopeYcZwe6ev4EYfYxQBiJD:yGIPQYKT9lcxTxzvpRxQY
Threatray 11'004 similar samples on MalwareBazaar
TLSH 4AE4B022E2E0C433C1661B7D9D1BD77CA826BE517D2959462BE45C8CAF387D1382B2D3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: bizcloud-makesd.xyz
Sending IP: 64.225.74.78
From: sales<altapack@ms76.hinet.net>
Subject: Swift...
Attachment: Swift Copy_pdf.gz (contains "Swift Copy_pdf.exe")

AgentTesla SMTP exfil server:
caixaonlineservices.online:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15961/
Detection(s):
Win.Malware.Fareit-6863179-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c8b44f5df884548cc3bcaf4a3e48cb98af05133476ceb66770934a40af17ce6a/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 07:51:09 UTC
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zc2e6xpyqrkizq54v5fd4sgltcxqkezuo3hlmz3qsnfeblyxzzva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
037f89d6832f6b5e451d463b74c5382b4016594b9c893f18df9c1e6b8654e87a
AgentTesla
176962cff7fd1726db08ef313eae338fbadcdcac32db1ef02dbd24434d2b8b4c
AgentTesla
2360b89fa9459eeeb583d67f26ba7973751feaf3868b636dd176b1e891f47a49
AgentTesla
8e36461da17ccdda3c8ff310b8b595288f1b8621a832d0da702161cf128ba2e1
AgentTesla
8ef0020970face69487e41b57753668ccf9c709843bd7ad776add915142906f4
AgentTesla
97bb08ab5ab612641d3744f726c9369b7cd5ddeaf4b6ddaab9ee8f3d2ee66013
AgentTesla
a62a90789d488d851050ad121400c40bdcbad55ff7acedca829edff301b0342d
AgentTesla
b67f72eb980e1ef037646a9fe6fa3104bc765a2e24765ace27ae2e5ed686b6b5
AgentTesla
b92387f4ebd2401753c36f466db181a1624fde4cb23cac4f26f26bb2edacbd29
AgentTesla
e939e5ac72af54c976d32967a56e22c82b4c46fc5693ebf04ccdbbd4ccdc3470
AgentTesla
+ 10'994 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200629-2xpzbc58ex/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz bff58b9f37783fbf4ee89f60273506aac91ac22d9c58042e476b12c6987fdab9

AgentTesla

Executable exe c8b44f5df884548cc3bcaf4a3e48cb98af05133476ceb66770934a40af17ce6a

(this sample)

  
Dropped by
MD5 b362891c97738fa00c46de07d81da8e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bff58b9f37783fbf4ee89f60273506aac91ac22d9c58042e476b12c6987fdab9
Cape
Cape
https://www.capesandbox.com/analysis/15961/

Comments