MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21cd29baa56cc9d6a16ded73828c7846e1c8ab08b7a465d471cb10c70f7c4d9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21cd29baa56cc9d6a16ded73828c7846e1c8ab08b7a465d471cb10c70f7c4d9a
SHA3-384 hash: dbd046f39c57cc457a1216d874cc96505b629ab7633ae2cdc82395ae65b6409b5ac5a81443fa62bc20fa2a4def3a7fdf
SHA1 hash: 3af7a05513a6a53a051fa50622d5fc8dc6e4bbeb
MD5 hash: b64bef8b818b4d6b18c113c83c63dc22
humanhash: oven-illinois-cola-sixteen
File name:Swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:593'920 bytes
First seen:2021-10-05 09:56:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+vCIoay8gTGPxEW7MZKnuIpmcd3drODeggy9NDN8w:+KIdCeS/MuAXCvgip8w
Threatray 10'741 similar samples on MalwareBazaar
TLSH T1C9C4F17CC7634A16CE788BF73918965107F691A882CAE3BC1DC4F4E93D63BB9946041B
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift copy.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-05 09:57:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8895711-b0b3-4448-8ef1-8c83bcb2ba3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194973/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c2b9d98a6280f39324e53/reports/b92c6664-e11f-4313-8fd1-6f7eae563669/overview
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b11b5e61-ed99-4005-8867-0e7615480b8c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864662
Signature
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/21cd29baa56cc9d6a16ded73828c7846e1c8ab08b7a465d471cb10c70f7c4d9a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 09:57:04 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ehgstovfnte5niln5vzyfddyi3q4rkyiw6sglvdrzmimod34jwna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ab5b36920783c2ba772f2a06ef832e22c07a551043dbae2c33cfcf27b1b238e
AgentTesla
0dc2c75f5d109cf78fc472ad6b777d9bb89894358f4e88ed6f5cdf2ee03cf843
AgentTesla
3bd0c04ee4c4ba078c54f4e7f5f956894204b2ccfbe84cdf934c40b28e30165e
AgentTesla
63f1f675dfba6996628ec3e6ed448f753786013fa4e626fbbf75128d0adee6f2
AgentTesla
aa9d6a7893252b4f32ae4c4113ef88d4400ddf09ff0ba0020c1c0385901a4caa
AgentTesla
cb15c498e6067588d19359544e0c2c8cf054ddf2f7b857c180c34425304f87ba
AgentTesla
d47bb2d6f7ec69ba6475aea16be4550f676dcc802088092f0d32daf42de501b4
AgentTesla
d665b7da6b1d6ffdc910b074f4dea20204c275098a808f0a2eab717b6380e86f
AgentTesla
e6a574a819e0cc41ef5ccf5ddc5e7ff13fd2e4a18079ee07b63e377e6909c0c5
AgentTesla
+ 10'731 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211005-lyxw2aheh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e1744d504276bcfc6d8052c51b0864de43e7553b59b589d37b429f956914a0b3
MD5 hash:
4073820facca8a256281c94067d97b95
SHA1 hash:
deb19bb4f2b1397f353d9ded28dc6be0790b8264
Link:
https://www.unpac.me/results/bfaff462-609e-4bc9-9f80-6cd78c9bf8da/
SH256 hash:
de266d47ce0cacf71edbd123cadcb5eef7eb651ad3e7e0ad55ace071fc1a6695
MD5 hash:
f75696baa017553db4cf94ca5a9b8fe9
SHA1 hash:
a0a3b22247abb22226aeaf7cacb3d42cad037f8e
Link:
https://www.unpac.me/results/bfaff462-609e-4bc9-9f80-6cd78c9bf8da/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/bfaff462-609e-4bc9-9f80-6cd78c9bf8da/
SH256 hash:
21cd29baa56cc9d6a16ded73828c7846e1c8ab08b7a465d471cb10c70f7c4d9a
MD5 hash:
b64bef8b818b4d6b18c113c83c63dc22
SHA1 hash:
3af7a05513a6a53a051fa50622d5fc8dc6e4bbeb
Link:
https://www.unpac.me/results/bfaff462-609e-4bc9-9f80-6cd78c9bf8da/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/21cd29baa56c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21cd29baa56cc9d6a16ded73828c7846e1c8ab08b7a465d471cb10c70f7c4d9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 21cd29baa56cc9d6a16ded73828c7846e1c8ab08b7a465d471cb10c70f7c4d9a

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/194973/

Comments