MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0262d3c3b2b03ad33d112361a02cc54ae49aab91042075c2978f14cb2aec0093. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0262d3c3b2b03ad33d112361a02cc54ae49aab91042075c2978f14cb2aec0093
SHA3-384 hash: 2ce3efce89f85b540819ad75e2117700ee7e73d04dbc6ce29b84b1647aed8d594e1dc0b5fc204b2ce8d9dd1ac9fdfe69
SHA1 hash: 1f042a98b054c92a74e8ed29111115e52f7d6d16
MD5 hash: d432ebf2eb0bba78a1d616b6acb8e09b
humanhash: nine-july-sweet-montana
File name:30% Scan SWIFT 09557875678.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'451'008 bytes
First seen:2020-06-10 11:24:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:tAHnh+eWsN3skA4RV1Hom2KXMmHafFR/dsARK9ezK86LqUv724kjt6SUXZJ5:Mh+ZkldoPK8YafBrlzB6GUv724tSYB
Threatray 11'104 similar samples on MalwareBazaar
TLSH 7665CE0273D1C036FFAB92739B6AB6415ABD79254133852F13981DB9BD701B2223E763
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ip181.ip-167-114-177.net
Sending IP: 167.114.177.181
From: Maggi Scarlette <Maggi-Scarlette@gmail.com>
Subject: Rv: TRANSFER.
Attachment: 30% Scan SWIFT 09557875678.zip (contains "30% Scan SWIFT 09557875678.exe")

AgentTesla SMTP exfil server:
smtp.pharco--corp.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 11:25:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ajrnhq5swa5ngpirenq2algfjlsjvk4raqqhlquxr4kmwkxmacjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6169ca9934aa8acf615fba63a182eac496ed480ecd7eca3689c1859bcfbd10ba
AgentTesla
6972fcf47a2db0c5ce7cd905bd12cbbc5155e98f57e1362a8b1a3c94177a2419
AgentTesla
6aabf54e49076a1e1ba3f8b06c90b86932585d7648151db9ea0a2c0c55d00dae
AgentTesla
6b6e59a4d06a6facb44ad4bdc483ea0de5edfcb0422a7c1c477afe3a87180279
AgentTesla
8f32b214dfe7dca133c2c100d46aae307ae1436a2b4afa27f261cb51c7ae262a
AgentTesla
9c7b103e3aaa595ae90af29253f1c0c7062dba34fd4b97070644105b025a3488
AgentTesla
aa72cac1ef23e95b93552363feb47970ce53eda70296757aa29c1f445d9529be
AgentTesla
cbfc08ab907fa89fcf4921c6824a84f112324ff1acaa63934774bba8d98f2b01
AgentTesla
f7591a2de2385aa3dad95196e96345c79780582807efb02718e37dfd4f092e81
AgentTesla
f8311c2389077ec88e9a7101e5950173d00356248136bc3e2242079ac4398cf6
AgentTesla
+ 11'094 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-j64hx2rjyx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 290af6903bb9fcef841b7d0bd2659044dd9ccf661763a37fdec7d98530885677

AgentTesla

Executable exe 0262d3c3b2b03ad33d112361a02cc54ae49aab91042075c2978f14cb2aec0093

(this sample)

  
Dropped by
MD5 c580a7ecfe7b010732589179f65f9cdf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 290af6903bb9fcef841b7d0bd2659044dd9ccf661763a37fdec7d98530885677

Comments