MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c12f69c9907c35269bc9893b25c5440583167d7384d838c285bd97b8726337b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c12f69c9907c35269bc9893b25c5440583167d7384d838c285bd97b8726337b
SHA3-384 hash: c2315e9e32b5b48bd089eb3b1d3e7c3d569b8e6b3aa1f186274c7efc2403f42e808d247916a8cea2e848dd8f79538a4d
SHA1 hash: 78c42598f90e2cb2625a130bb715ba1da024b474
MD5 hash: af9bb5934be920668eb417cdb72f7148
humanhash: comet-ceiling-oklahoma-east
File name:Swift-pdf.gz
Download: download sample
Signature AgentTesla
Create hunting rule
File size:6'808 bytes
First seen:2021-07-22 12:09:19 UTC
Last seen:2021-07-22 12:09:55 UTC
File type: gz
MIME type:application/x-rar
ssdeep 192:Wvz/dQjso70apaEwyQ9PmkrpMpUT6VAjMONK:Wvz/O4wD1Q9PkUT6K1o
TLSH T1FCE19E31E072353871CC797D2D9B9C3413AFA55FB1F861312A5D766489AC02BDD0A4D8
Reporter cocaman
Tags:AgentTesla gz SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: "info@siatigroup.com" (likely spoofed)
Received: "from siatigroup.com (unknown [103.139.44.91]) "
Date: "22 Jul 2021 05:09:04 -0700"
Subject: "payment advice 10-06-21"
Attachment: "Swift-pdf.gz"

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c12f69c9907c35269bc9893b25c5440583167d7384d838c285bd97b8726337b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 11:18:32 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
5 of 45 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqjpnheza7bve2n4tcj3excuibmdcz6xhbgyhdbilpmxxbzggn5q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210722-dd1cmgrl26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5c12f69c9907c35269bc9893b25c5440583167d7384d838c285bd97b8726337b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 5c12f69c9907c35269bc9893b25c5440583167d7384d838c285bd97b8726337b

(this sample)

AgentTesla

Executable exe de49258994a651e41ea2b519ae39eb815b8d26cb3097fab2dd0e1ee5c9ea37b1

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 de49258994a651e41ea2b519ae39eb815b8d26cb3097fab2dd0e1ee5c9ea37b1

Comments