MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9
SHA3-384 hash: cc3a012aba40e72923f1cf8c79488620c3868e0cac10e34fa4a752ac6e459f189e11f86e009ef458d17a0320beb2dbb6
SHA1 hash: 55c6d66086cb7539f0f6ecc624c839875c081874
MD5 hash: fe7d393a843474ab7c04a323a9b91e70
humanhash: foxtrot-green-double-gee
File name:SWIFT.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:781'312 bytes
First seen:2020-10-19 06:27:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:6+BhC/MMs/PsjLMemVMlw84fdrt0+sBtPXvXbRsgqVzZbRStl7zpnQAQGHx8Kz/1:6+BhC/MMgsjTmVMlR41JsbPPmgGbRSRv
Threatray 323 similar samples on MalwareBazaar
TLSH D0F49D1423882F68E07EA7319860518097F2BC56DB35C65EFDD529CD2E72F82C36B636
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cwp.zelenilo.com
Sending IP: 213.240.61.171
From: Milorad Krivokapic <dekany.minor.sk@gmail.com>
Subject: Fw: SWIFT poruka-potvrda izvrsenog placanja
Attachment: SWIFT.pdf.cab (contains "SWIFT.pdf.exe")

AgentTesla SMTP exfil server:
delovnaposta.telekom.mk:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72719/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494851
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 00:12:59 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fisp7jwxe2seyvrc7xrovqhq45yamov7lpgkr6nthqexm55o2kuq._file
Verdict:
unknown
Similar samples:
547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362
AgentTesla
5af92a0def6249cc97bfd12ac3ea0a5df1718501d6968391eb709afdf932594b
AgentTesla
6e1ea62f74eb06a3dd77f8a2ba47f435c0d97e6ce6e99a50049b65f10b70dab1
AgentTesla
7b934417ec20eb76c6f671d8447a166792d543d6955d957fe8adaa557043b3f7
AgentTesla
86982b1027562eab1b1cf1a8edc4fa165bacc43ae328405e7ec633f44b072796
AgentTesla
86e0b495f7101c01551635f66d4ee6d7125b8cf75357fc17708e404272080795
AgentTesla
9cf352296df92c69780aed1e0b7d83cfae5e44add04aca6b9e875a6c88aaabf6
AgentTesla
9d45b07776018c62541d967cf176f73f8da64b34c387ed2692b1527e03f6adb5
AgentTesla
9ff5b2b97a5851e64863eb11299ebb8f096d08a3ea8730fa4db49fba2e770d3d
AgentTesla
b96c74f4b922042a1e720bec81fcd230a007956f38889645c0a59f17d6365ba7
AgentTesla
+ 313 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201019-lqfvvwx8cs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9
MD5 hash:
fe7d393a843474ab7c04a323a9b91e70
SHA1 hash:
55c6d66086cb7539f0f6ecc624c839875c081874
Link:
https://www.unpac.me/results/11a02bca-cc88-413f-b4d5-876499761eb5/
SH256 hash:
f1957b8b1601d08030baa44b0cf846688323cf1330f0d7dd38e9fcd0b06d71f4
MD5 hash:
11e607b668bfed8626cddefa5793e1cf
SHA1 hash:
0364b62071486bc7b488bffcae30a32f5a578686
Link:
https://www.unpac.me/results/11a02bca-cc88-413f-b4d5-876499761eb5/
SH256 hash:
587446262244cecbbf34440cb1e046f45ba0d6b85ee47722e0e189a1fcbfc36a
MD5 hash:
eaa609caf5b786749f63a487fc89110d
SHA1 hash:
6eb89bce92b4d54e3720d37b584af66e61100c00
Link:
https://www.unpac.me/results/11a02bca-cc88-413f-b4d5-876499761eb5/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/11a02bca-cc88-413f-b4d5-876499761eb5/
SH256 hash:
8de9028736e7cac59b80eeb269f74484756159bd1b4858c7506241c990a97fb0
MD5 hash:
82657ddf8f6df4c579046b81ee8283b3
SHA1 hash:
f8d3a8a46a6c9333533e000bc840d82d071a8409
Link:
https://www.unpac.me/results/11a02bca-cc88-413f-b4d5-876499761eb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 480cd3bc03f14a0132e05718fff0926fbe44cec403be8d8072bed388be29de49

AgentTesla

Executable exe 2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9

(this sample)

  
Dropped by
MD5 bbc9f92c2b3c6dfbb3a5764facde3251
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 480cd3bc03f14a0132e05718fff0926fbe44cec403be8d8072bed388be29de49
Cape
Cape
https://www.capesandbox.com/analysis/72719/

Comments