MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 744a76c70e3ac09347eec24b97511a50c8574ae1b6cda1634ece4adae03581d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 744a76c70e3ac09347eec24b97511a50c8574ae1b6cda1634ece4adae03581d5
SHA3-384 hash: 0229296c93905b1cd6d1478e618c136f7d4245a565d91de6b04376848e2ded2c634f7e3896ed0f9802ae2a48ecbb1d15
SHA1 hash: be54e34827149f15de817e2fb8f1f55bf45fe463
MD5 hash: bf56b6516631efb6835bc1c4ae9f1094
humanhash: uranus-paris-mississippi-monkey
File name:TT-SWIFT COPY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:957'440 bytes
First seen:2021-02-19 09:40:43 UTC
Last seen:2021-02-19 20:34:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:1HAsH4Zx8FKLriziS1NtoqrDTO8RMIhU5G/3R:1HAsH4Zxbi/tPnTZRMIhv
Threatray 15 similar samples on MalwareBazaar
TLSH B815023363D85F97E17E9BB49A24000093F5B71BE723F78E3EA505CE1961E84A632716
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117952/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.545.12480.14811.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/612511
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/744a76c70e3ac09347eec24b97511a50c8574ae1b6cda1634ece4adae03581d5/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 18:12:02 UTC
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=orfhnryohlajgr7oyjfzoui2kdefosxbw3g2cy2ozzfnvybvqhkq._file
Verdict:
unknown
Similar samples:
1a86f37c4830102f274d8d26e167412e5f0d8e82d66008d63066e1c48e285e38
AgentTesla
542973a152451729c2611f35ffd0af1ad85fcaebb23956dc807252ad1ed16900
AgentTesla
7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c
AgentTesla
75a02ca03fa09ee68ee93a059aa86f14d66276985514c4b3597f9f62a36708b1
AgentTesla
81274d23515440feac07a591db64f946640ab3a4350bbfaa0d955ced83175fb0
AgentTesla
81946c466ac534b02999f9e8d47d9ec79bb0ee7a365503294931806ad23502e4
AgentTesla
8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8
AgentTesla
ae6ad2297366fb5194e553992732f0a5740de2c5fe4b7be56fd2e1a52cb915c4
AgentTesla
aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342
AgentTesla
d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345
AgentTesla
+ 5 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210219-h46nzct8yx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
b2f91d1427c7b60a3ad485bed04ba75636560783c9265a8f26542d5f6aa5d8a9
MD5 hash:
5ad6dc03137fc80e4e691f4b409d9120
SHA1 hash:
edb38e49ce79ecce33ce9a891df56468c3a4016e
Link:
https://www.unpac.me/results/57c3fc40-bd75-4a0d-abaa-5a0054f61495/
SH256 hash:
744a76c70e3ac09347eec24b97511a50c8574ae1b6cda1634ece4adae03581d5
MD5 hash:
bf56b6516631efb6835bc1c4ae9f1094
SHA1 hash:
be54e34827149f15de817e2fb8f1f55bf45fe463
Link:
https://www.unpac.me/results/57c3fc40-bd75-4a0d-abaa-5a0054f61495/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/744a76c70e3ac09347eec24b97511a50c8574ae1b6cda1634ece4adae03581d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ad36807d445ada08151fc65a3588b7c3b963d3fb0795142c52e3abdcfe11b992

AgentTesla

Executable exe 744a76c70e3ac09347eec24b97511a50c8574ae1b6cda1634ece4adae03581d5

(this sample)

  
Dropped by
MD5 3a69745cf008030bfb7f44d49533d962
  
Dropped by
SHA256 ad36807d445ada08151fc65a3588b7c3b963d3fb0795142c52e3abdcfe11b992
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117952/

Comments