MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c19f9d9a4433ed6f1553f59459fd9100b8ff6ddb030474c197784b15b10d477. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	4c19f9d9a4433ed6f1553f59459fd9100b8ff6ddb030474c197784b15b10d477
SHA3-384 hash:	ac2f10847a5c5b65fbc0e96a3c252fa5b973f72a4d4007cb8949d34a035d45d2d9acc4bd1c2bcb4abac9cde749e21909
SHA1 hash:	c0dcbcf045e58c6d7ab651bc98121ef1b340b8b4
MD5 hash:	780cc74cb99a1fed0620414875e59e00
humanhash:	lion-speaker-ceiling-princess
File name:	Swift copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	649'216 bytes
First seen:	2022-01-13 14:16:50 UTC
Last seen:	2022-01-14 06:55:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:FDSZPG+NUDDbrotX2iItM/VcOZC/R/xawn5XeOkY2t57I6moQ0y2QgrD:FoG+wDElIW6gIh/n
Threatray	13'706 similar samples on MalwareBazaar
TLSH	T137D47C9D30E275EEC4EBC1F189DA5C57EEA074B60B07410B651F089AA94DEE6CF1C1B2
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Swift copy.exe

Verdict:

Suspicious activity

Analysis date:

2022-01-13 14:19:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/492ae384-b64f-4163-bb4a-6b90244da990

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/219049/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.17514.4721.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Launching a process

Creating a file

Searching for synchronization primitives

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/61e03469e997359713e66ba2/reports/4e230eec-bf45-4adf-8c42-918638c142f6/overview

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52b73de9-093d-4d53-a6b4-83eac122e9bf

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/920143

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4c19f9d9a4433ed6f1553f59459fd9100b8ff6ddb030474c197784b15b10d477/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-13 14:17:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jqm7twneim7nn4kvh5mulh6zcafy75w5wayeotazo6clcwyq2r3q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4e1310dcbe61956354f58b7a45254e17974d431691e4eb21aebe8fcf92b8ef34

AgentTesla

57d174cba1f8d71729c92a0f826b379491585dd53e1d1a11397b46ae6049f217

AgentTesla

606c0fba8a5d431c5e2f2def1d52fa9dd68d0fb9ae415c25ef7b3b8895317add

AgentTesla

89929733252d699088129ed01277898b2ab5ce2619f336ca83049868f2b3998a

AgentTesla

a21e9d72d37a2bb09edd9e49e1751c766cfc86109bed201cb2026e111f3e1b56

AgentTesla

+ 13'696 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220113-rlqj3sagd2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

214d10cc28c6444c8e221987ffadb13074f286d7759f0a3ab77e7c220340002c

MD5 hash:

80964ed41e2ffa82e51fbb8573bd89af

SHA1 hash:

b7b854a3a82beda68d1045f299e7af9ab577e10c

Link:

https://www.unpac.me/results/d5eaaa07-ae84-474e-a2b5-e54d4eabb8ea/

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/d5eaaa07-ae84-474e-a2b5-e54d4eabb8ea/

SH256 hash:

5a24b1a0188261c70d0a5aeffb778500ed1512f16e5c11f6f5a7fa1ab78a7d38

MD5 hash:

89aa33b4e1ef0d577b9297dc0639a849

SHA1 hash:

28b5cdf3801d61923e6c1102c04e2e009212cb21

Link:

https://www.unpac.me/results/d5eaaa07-ae84-474e-a2b5-e54d4eabb8ea/

SH256 hash:

4c19f9d9a4433ed6f1553f59459fd9100b8ff6ddb030474c197784b15b10d477

MD5 hash:

780cc74cb99a1fed0620414875e59e00

SHA1 hash:

c0dcbcf045e58c6d7ab651bc98121ef1b340b8b4

Link:

https://www.unpac.me/results/d5eaaa07-ae84-474e-a2b5-e54d4eabb8ea/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4c19f9d9a443/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/4c19f9d9a4433ed6f1553f59459fd9100b8ff6ddb030474c197784b15b10d477

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 4c19f9d9a4433ed6f1553f59459fd9100b8ff6ddb030474c197784b15b10d477

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/219049/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample