MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa309daad5243e93967f396f770466383bd74dd20a0b83c1593d55a6e66e973e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa309daad5243e93967f396f770466383bd74dd20a0b83c1593d55a6e66e973e
SHA3-384 hash: 4e7967968cfee87a43c73154f7e02e384d45fed65bba8ff25143ec3449339a057aaa4767bffc30cac22f913497510ff6
SHA1 hash: 1f5aec06798393b239d107a4ea4863b26f2b5a8e
MD5 hash: d5d3133af717915b73ad7e5fa70ad522
humanhash: october-montana-december-queen
File name:Swift TRB#032896541286452790001545665400111.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'398'784 bytes
First seen:2020-06-10 07:23:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:8AHnh+eWsN3skA4RV1Hom2KXMmHaR+nzd7DxTMdyLiV5vNRW0I12TE5:bh+ZkldoPK8YaRyFuyLiHCP
Threatray 11'413 similar samples on MalwareBazaar
TLSH E355CF0273D1D036FFABA2738B6AF2455ABD7C254123852F13981DB9BD701B1263E663
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns12.iraq-dns.com
Sending IP: 185.52.101.73
From: Jaslin Hong <Jaslin@itxtrading.com>
Subject: New Purchase Order
Attachment: Swift TRB032896541286452790001545665400111.rar (contains "Swift TRB#032896541286452790001545665400111.exe")

AgentTesla FTP exfil server:
ftp.irregnancised.com:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 05:44:06 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7iyj3kwveq7jhft7hfxxobdgha55otosbifyhqkzhvk2nztos47a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05f08d66b6f118c60851b9b3a9f86eb9db05955af1bb2b6bbdd9b5308972b3b3
AgentTesla
0687d57f87a19e9860bc0f991a91ea9af31f8625dd15d191f4fac7e73520b49b
AgentTesla
1631bd051bd9ef096e2cd29bba5c549e8b4028dc9de457c2bd5ee060c69a7e6a
AgentTesla
19f424c3b0ad6511d58458785862513f6c86a832b2f1837b4581ddaf6036d857
AgentTesla
1ca6d3246b59dbf5e36a28035595f2b886a9c26cbc4329c6ad5e77cbc272af08
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
70e99108b5577011f7484785487d9cb5149dd1070138fa121407658053322cdd
AgentTesla
aafabbc33c3dcab75195c0a68e244c0b65043fd2fb966e8e66c46f76a1fca7dd
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
e57b3fac2ff014d32527f235abf0efc4ddf672cc3781b1d5964bd635ed21cdf6
AgentTesla
+ 11'403 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-sb7ztavv2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 252646ee2dc83b043480ccbf81f1c5d9126879c81feec5b70d7b31a8d54bc6a5

AgentTesla

Executable exe fa309daad5243e93967f396f770466383bd74dd20a0b83c1593d55a6e66e973e

(this sample)

  
Dropped by
MD5 1b65d53c9705d4135b29ae3efb6b2c0d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 252646ee2dc83b043480ccbf81f1c5d9126879c81feec5b70d7b31a8d54bc6a5

Comments