MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6ac531e33b7798bd3c5cb07048af206fd3f5551902f7cde6889c652302476f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	ea6ac531e33b7798bd3c5cb07048af206fd3f5551902f7cde6889c652302476f
SHA3-384 hash:	18cc13f8761789b4afa5dbd982c482100e75b819aca7f7de7d6f721c7fcc44e2f712e651364badad5f89696a6ed068f0
SHA1 hash:	15e4e3e9164a9329a1c2badafa899024770edba9
MD5 hash:	112fe9729b3e79fa1df7d32fdf9898a8
humanhash:	fifteen-ten-eleven-north
File name:	SWIFT ADVISE VD21082020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	621'568 bytes
First seen:	2020-09-01 05:06:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:6kGerYTlNja44YxgAnxCFhsv2QLjx74cTRx6OmJjtL09zBIRAZzT6b5WxDiDC60X:4eie44yg8gheRVTRx6OiL0FBnuFW
Threatray	83 similar samples on MalwareBazaar
TLSH	FED41322556D47EBCAF50BF8640E366BE360A4FBD41DE2AB28D0758642F73808773D16
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: vps.confidencegroup.co
Sending IP: 162.144.59.93
From: George Joseph <info@koh-chang-villa.com>
Subject: RE:SWIFT ADVISE VD21082020
Attachment: SWIFT ADVISE VD21082020.ace (contains "SWIFT ADVISE VD21082020.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

98

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53796/

Detection(s):

SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/456148

Signature

.NET source code contains potential unpacker

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea6ac531e33b7798bd3c5cb07048af206fd3f5551902f7cde6889c652302476f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-31 03:41:30 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jvmkmpdhn3zrpj4lsyhasfpebx5h5kvdebpptpgrcogkiyci5xq._file

Verdict:

unknown

Similar samples:

14ac862307f76bdf323ae2ae84ed2b46b35483202bf81031c716143343ba7b00

14c779eb9e7f6a3a77a4e0df7a8b64d7a74f7db8a7dede57dc5ce8936b83f5df

333bca520269ca114176493ed2b944cc38cea0bbf11844942f3b632bbe27378b

37677fa0c9255eb7368ce3d54a42e2b3e23eff33c6e2008406d9f32a71b565b8

545305810b041d0a1ea357652c1b98aa714b039c16af8d1d7ecdd8e513a59d8b

9ffb458e6d120f6d42906c102ce49ecefbe4a937d6b605a4d3a1b3a7dc15e627

ae386b6cfbca2ad61a9a4d642e99cd9bfaf9cf7fd647c2b420884df5f6692ddd

aea7319d67789e4e524c4af9bcb842d66593a97dff25cb4be43eee5f5fb86963

bf16393640303afe03a092d605a39a69d05158bce15d690128ef2b2103dfa5c7

f595019c294b2717aad61673e0214db90da5f880d5177c81b30f053004450a56

+ 73 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/200901-e4h38fjn9a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea6ac531e33b7798bd3c5cb07048af206fd3f5551902f7cde6889c652302476f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ace d9e7f65edda0b0c6f7f6dbc1ffbfb8e39eac70ea0c0ec03733c0a319a564509a

exe ea6ac531e33b7798bd3c5cb07048af206fd3f5551902f7cde6889c652302476f

(this sample)

Dropped by

MD5 aeb1c8673d1c8b67c7a2bab27fea1fe4

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/53796/

Dropped by

SHA256 d9e7f65edda0b0c6f7f6dbc1ffbfb8e39eac70ea0c0ec03733c0a319a564509a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample