MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2645cf7e9731a0340c150e0beadaf8dc22fdd0bc5edc2e642c27b438300b3a92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2645cf7e9731a0340c150e0beadaf8dc22fdd0bc5edc2e642c27b438300b3a92
SHA3-384 hash: 02d44a7062e69442f1bc2e3fbc62f74d1d455e94ec6a0668c430e1f2a96b13e7c8e54e4ab684c9b4265ab6e7d7f8193d
SHA1 hash: 4747c154f9ae81e0a3e489f0e55f44e95c09520f
MD5 hash: 5ffa513ea6a5ee45e2a25292e220c652
humanhash: timing-arizona-lithium-berlin
File name:Swift 01.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:626'688 bytes
First seen:2020-07-01 11:09:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:KYVN2cnGKUvAjXAYAabyAI4AeLa8xThl+uq6K4z/5fwrU2GRpFciMFcETJABVfM9:KnDAtwQ2NtAE13ToB3S
Threatray 10'724 similar samples on MalwareBazaar
TLSH FCD47B8079B68BD6D9B257F60A21580047F6B97A703DCE664D8221CBB9FFB404E4DE13
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.mtgsofd-kwt.com
Sending IP: 94.156.189.55
From: Account payable <sales@miklar-supermaket.com>
Subject: Payment Transfer
Attachment: Swift.iso (contains "Swift 01.exe")

AgentTesla SMTP exfil server:
mail.ltepl.com:26

AgentTesla SMTP exfil email address:
nilesh@ltepl.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18200/
Detection(s):
SecuriteInfo.com.Malware.2048.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2645cf7e9731a0340c150e0beadaf8dc22fdd0bc5edc2e642c27b438300b3a92/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 11:11:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezc467uxggqdidavbyf6vwxy3qrp3uf4l3oc4zbme62dqmalhkja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
112119f35421deb465459bd5fd6a83b717ed74986317643c2d92364cbbd78da3
AgentTesla
33131a8d850e1f7afed43730d35f1f2afc7d7a504ab87d60a6850c0a7541fe99
AgentTesla
331ad640150b388de38cf641dc2ae8b630127547ccee81b74fa5e0dc24cb797e
AgentTesla
4bf1fd37adafd606267d83a3def9b6c0d44b9094dbc650755f12219af5753399
AgentTesla
7517268fa9a5918285b964fc4c23e7b012e08a6ce0ccd6ae9b4e12b6f7a66b93
AgentTesla
a7534a67287f201714e7983107df187fc9b9fee458ff257d69dd312e17f8fd6d
AgentTesla
aea1493bc9d4796294250d7b06a160c61f4014b1ca13473f4a5877a674083772
AgentTesla
d323ad1ca431acbe0b5e81ca108a0535591a33e7587b144f4354a269f0e1837d
AgentTesla
d9a6f61b88269cd89559b8953313e6d2a587b031788508d5c7f4e06eedfc5850
AgentTesla
eeac5a93cbddf4199153c4a54460b5c618c097814be44e5c2b57ad4255c8546e
AgentTesla
+ 10'714 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200701-jzn1t3czle/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 0c302b97463303bba1bef43aff1a139098d502f4f11d26b2b30c9fc16fb76106

AgentTesla

Executable exe 2645cf7e9731a0340c150e0beadaf8dc22fdd0bc5edc2e642c27b438300b3a92

(this sample)

  
Dropped by
MD5 1a4b17ee90530873941aff5d9ed2cf00
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0c302b97463303bba1bef43aff1a139098d502f4f11d26b2b30c9fc16fb76106
Cape
Cape
https://www.capesandbox.com/analysis/18200/

Comments