MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6693da20e6a0e6bb2d7d09aae5744f0efb5afb0eb5535462b46953fd5fdfa19d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6693da20e6a0e6bb2d7d09aae5744f0efb5afb0eb5535462b46953fd5fdfa19d
SHA3-384 hash: 959eb6994d7e4eaff00a117e93f5819492d7074943a8c9feaed8d2043ea97c3a42cfbdb7f6939b98d19cb6fcaebe8d71
SHA1 hash: 19bc30d8486c004e3111d75d6d4b9f43147df0fc
MD5 hash: c4eb327e4c52ba8599c65054ae87ac30
humanhash: berlin-cat-mars-south
File name:TT SWIFT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:594'944 bytes
First seen:2020-06-03 13:35:09 UTC
Last seen:2020-06-03 13:51:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:y9hpXmPKqUAQM5zixZ1ALvIoejOVzEY3j+16iFobcKB4:yBmiqUAQeGxZirsO5NY
Threatray 10'999 similar samples on MalwareBazaar
TLSH 46C4E01436A1BE4FC22F4E76882248009BB0E2737B5BF3476DCB21DB551EBD94A11B97
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hsbc.com
Sending IP: 209.58.149.66
From: payment-advice@hsbc.com
Subject: Payment Advice - Ref: HSBC99002992/16052020
Attachment: TT SWIFT.Pdf.gz.zip (contains "TT SWIFT.exe")

AgentTesla SMTP exfil server:
mail.almushrefcoop.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 14:35:49 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2j5uihgudtlwll5bgvok5cpb35vv6yowvjviyvunfj72x67ugoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e68055f95563948fbacfd1de0b04fd457c108ef8482d2a6642a0067835ce529
AgentTesla
3c12197e1c9c3d04c5831d3633fcda64dd51bd7c7d31db7ca42fafe341f7a3ee
AgentTesla
56d1018b5e98599629854a6a02b529ed5c9f1372f799747aebb0a9af9cc831d6
AgentTesla
5bb47f4d839af90df0d747b278c69d873127d2574a3f77965f9e7787385220d4
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
b9a12009bbff8c77d8d325b990a53e33f68b60bd734762a0f31721286eaa329f
AgentTesla
ba19f152a61cf84f2a2f1d5bb1f7dc7861a8c234bb358bd5bb7d2cceb4523fc9
AgentTesla
dd73ef0c278e50bc42f5afe096966fa841b9acbb6bfb553a67724b04cc85d097
AgentTesla
ef1448f905b7a9ac9186f6d076996b9638d37a8b96af5f7c791c4b0aa9a7aace
AgentTesla
f91c59a4e7c426578c67ccfeeb3f4ff7a2f131bf1bf8ca891553f398be9d4d01
AgentTesla
+ 10'989 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-djypvel5ds/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip cdebc24e714de7663e7ad5cc4e13c2cc331af5a288702cf8bf77d092a5ba9fb2

AgentTesla

Executable exe 6693da20e6a0e6bb2d7d09aae5744f0efb5afb0eb5535462b46953fd5fdfa19d

(this sample)

  
Dropped by
MD5 83467da131f0e2e05abf1e572ce6c460
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cdebc24e714de7663e7ad5cc4e13c2cc331af5a288702cf8bf77d092a5ba9fb2

Comments