MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067
SHA3-384 hash: f2f9aaf2bdd009097bfcd8ed05c3ab544c416953452a325fe34d706b2dfe296670914fe3e442934d5fc5c167d1bce412
SHA1 hash: 16e30952872508690c7f31403962908816a50785
MD5 hash: fd0830b1f44a17f0c46356993cbdc338
humanhash: helium-monkey-july-muppet
File name:Swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'112 bytes
First seen:2020-10-07 10:57:04 UTC
Last seen:2020-10-07 12:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:O+9x7Mz6vWs4REyh6DD0U2RVQyiY4yBapA+eJ2t/5Lwu7mL5GWeudpK/Sr:DD73QEvkU+61A+XBWu7mLoWhp/
Threatray 371 similar samples on MalwareBazaar
TLSH 85B417057709EAB5F1AE417144C2D2F20302FCED6993916A6FC1FF1E39B3A450A1EE66
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dbs.com.sg
Sending IP: 103.141.138.129
From: DBS Bank<info@dbs.com.sg>
Subject: TT- Swift Copy: 471/35/13A-2773 From DBS Bank
Attachment: Swift copy.zip (contains "Swift copy.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68905/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a window
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484043
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294464 Sample: Swift copy.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 6 Swift copy.exe 4 2->6         started        9 kprUEGC.exe 4 2->9         started        11 kprUEGC.exe 4 2->11         started        process3 file4 53 Injects a PE file into a foreign processes 6->53 14 Swift copy.exe 17 5 6->14         started        55 Antivirus detection for dropped file 9->55 57 Multi AV Scanner detection for dropped file 9->57 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->59 61 2 other signatures 9->61 19 kprUEGC.exe 2 9->19         started        23 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 11->23 dropped 21 kprUEGC.exe 2 11->21         started        signatures5 process6 dnsIp7 31 mail.a-k.co.ir 144.76.118.219, 49747, 587 HETZNER-ASDE Germany 14->31 33 elb097307-934924932.us-east-1.elb.amazonaws.com 174.129.214.20, 443, 49746 AMAZON-AESUS United States 14->33 35 2 other IPs or domains 14->35 25 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->25 dropped 27 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->27 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 Tries to harvest and steal ftp login credentials 14->41 43 3 other signatures 14->43 29 C:\Windows\System32\drivers\etc\hosts, ASCII 21->29 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067/
Threat name:
ByteCode-MSIL.Infostealer.CoinStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 09:15:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfmlp5swdjfeuqnqkhp5vpnxh2du7fswwaidt7hiievl5fwzqbtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
286b00dda63a28a1d22aae31f1622b04700207b92ab0f033e8885fb55eaa3e86
AgentTesla
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f
AgentTesla
ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537
AgentTesla
+ 361 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201007-acly6s442x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067
MD5 hash:
fd0830b1f44a17f0c46356993cbdc338
SHA1 hash:
16e30952872508690c7f31403962908816a50785
Link:
https://www.unpac.me/results/bb5c059d-27b8-4ba6-93a3-73dcd36261fc/
SH256 hash:
3cf8a2782094b41c570a575f535c55b738ae524355c84be64348852d8aef4444
MD5 hash:
ae306ef1ea66439d7cbea97a58dd2cdf
SHA1 hash:
2658523ee348d72affca2e6b87368a9e92f8047e
Link:
https://www.unpac.me/results/bb5c059d-27b8-4ba6-93a3-73dcd36261fc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 350b5b7edc52a6b257d7c7f39f561e054dd548fbceb8ed806ef8256e863eecaf

AgentTesla

Executable exe 0958b7f6561a4a4a41b051dfdabdb73e874f9656b01039fce8412abe96d98067

(this sample)

  
Dropped by
MD5 c5f4c0a26d65f0f41754e708d19537b9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68905/
  
Dropped by
SHA256 350b5b7edc52a6b257d7c7f39f561e054dd548fbceb8ed806ef8256e863eecaf

Comments