MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1561967cff081a9b139de45a82e6a61e2f5b01834d4666f2fc88cf0c52220268. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	1561967cff081a9b139de45a82e6a61e2f5b01834d4666f2fc88cf0c52220268
SHA3-384 hash:	610ae71ac6f14ac7b032cee8947845b25a37fc31e27d8fcb1a64199eb06b82c53f1dc391a1b7cb833ab1b3486637d0d3
SHA1 hash:	9e928b3a53f12fd0b8dd72b40391fd59df8f2245
MD5 hash:	00df346991ae26f5d1424c87d6be6cc0
humanhash:	uranus-vermont-jersey-pasta
File name:	swift copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	484'352 bytes
First seen:	2020-06-05 04:48:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:F5NVoDv+SunlzaugqKNtam4P763aM2O4P5tCbaCfFJf2QaMHnzPLnZ7yIvGfEt2v:EJuGT4PW3aMeB0bfeMlGfDO2XpM8KC
Threatray	9'394 similar samples on MalwareBazaar
TLSH	B4A4E08931287B4FC8BE87F588962D6017F121B7632BF2469CD774DD496CF8A4A582C3
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

1

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-05 01:31:30 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cvqzm7h7banjwe454rnifzvgdyxvwamdjvdgn4x4rdhqyurcajua._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

02fafe7d00909727bb91670774f201dc8ed5122c7c0c6c25c2c8b227b6a77df4

1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5

1fb2d300e3042a8b0a43447daff7ac9104468b7b53c7d1f9faaa730a53a546b6

5c7aafd2d805b9c1fa64997203a5410c7b875fbea58994f68a60e12009d8ac95

64e97123cda644b59b1c94d47b96bbb67023bfcb7c111b22d5216c0dbe1d5aa3

6b1aade8a770446115bfaac12bd0744efa14a9115ba519cad9e979e3d2b6e7ed

6bf4d1c0e5018bdd01970b9834eaffd21f8d456d8cefe066c305cf8f8317024b

acec25e33dee791cd6ed4a5078346e4d56eb27987e27278b0d86d3c2600fdce3

d149b8b19b0a2841e483fb8e2671390b2073bba721dad0f24eeb0fbc23f4c954

d2e4ef567c497136b0b0b75929ef07643296ca2814b6b0f19303ee29cb194cb1

+ 9'384 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion rezer0

Link:

https://tria.ge/reports/201109-fc8zk7nanj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

ServiceHost packer

rezer0

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

z 12cdbca5413986c28c4f784c28362e1e4d67780c6153968610d97d62b37880b5

exe 1561967cff081a9b139de45a82e6a61e2f5b01834d4666f2fc88cf0c52220268

(this sample)

Dropped by

MD5 13ad6809076ca27ee1b9e5a60b7b9b9e

Dropped by

SHA256 12cdbca5413986c28c4f784c28362e1e4d67780c6153968610d97d62b37880b5

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample