MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 120d96195361d6479ef060e244d7337939541c59b434d329103627f35d65f697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 120d96195361d6479ef060e244d7337939541c59b434d329103627f35d65f697
SHA3-384 hash: 0b611403ebd661c5f58bbd82dd94035f3103c804573af5c062c647b496beea8793be588f2a7dc53e5e1f78390623cf6e
SHA1 hash: cc3c329b1424c11f7b2d8677a7261435ddde6a71
MD5 hash: 5860fb22bc4ed09bb1912f64bd8184c1
humanhash: diet-double-gee-papa
File name:Payment Swift MT103 copy_pdf.img.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:747'520 bytes
First seen:2020-06-02 08:42:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bea360bfb27d8eea8cfadfbf8d4f992d (8 x AgentTesla, 5 x Loki, 1 x NanoCore)
ssdeep 12288:+P3Ap0AcJKfs3RrAIaNq4uoLGv/fTAO5Egh82MHFXtBaW/HNWt9u86:UgKKsmIaznKHfsaZhHqFX7g9ut
Threatray 11'574 similar samples on MalwareBazaar
TLSH 54F49F22E2A04433C273167C6F5B77F85C3EBF30296469866BE5DD4C6E397813926287
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zmail.bgservice.net
Sending IP: 193.35.40.243
From: DHL Customer Support <office@emk-service.com>
Subject: Fwd :Inward Funds Transfer Notification (MT103)
Attachment: Payment Swift MT103 copy_pdf.img.iso (contains "Payment Swift MT103 copy_pdf.img.exe")

AgentTesla SMTP exfil server:
smtp.kryzlinltd.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 13:24:51 UTC
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cigzmgktmhlephxqmdrejvztpe4vihczwq2ngkiqgyt7gxlf62lq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
01623a798b7efb749c3409651a85050b58327c7dbe59740f79dac9b78ae24c9b
AgentTesla
33fefd2ae3ff75bcae6718f2abbc99bc7ca047a4543c5420883eb39e1128e9e5
AgentTesla
6b4d7ac31a05055268f04ba4a727a23c12e25892aa8ff5896b28d21ab820aa55
AgentTesla
a9d7b84cfc7fa078466ceade8534942fb80b0acd25ba3f8b848dfc12dc1fae21
AgentTesla
cd4ee674aa9d15d9b3ea4786f008b850340a14db344d5ba7ddddd0ce734fb3fa
AgentTesla
e5d0489c5b615585c49b6389f66c7f9e3694078e7648272db4632affcc5457be
AgentTesla
edfcf01c73ca6335d2040ac54b4d1513a4bb1ae7756e2ead34ddb6b03fb044f7
AgentTesla
f02f1aa81359a40dc5654db55fe211c8dff8c88a790d10089fcbca1840a84c3a
AgentTesla
f3232a34ddf3d75e57216467b754d135204fddc84a1755d694aef2c4a3b599e5
AgentTesla
fc849ef113b6dfd401b03e989e2888e30c62af7938347a2bbca04153f5b36249
AgentTesla
+ 11'564 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-a6fvv9ly26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso e3c01ede85f4a4e760f77e216858e1d6af2b4a574bb8f214cb79abd86766a7da

AgentTesla

Executable exe 120d96195361d6479ef060e244d7337939541c59b434d329103627f35d65f697

(this sample)

  
Dropped by
MD5 c0206a636fff6f6c661e228a3f23c705
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e3c01ede85f4a4e760f77e216858e1d6af2b4a574bb8f214cb79abd86766a7da

Comments