MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
SHA3-384 hash: cfea77358b8fbcd4ae5d5bb20810428b7e9d2cbc6b2eb5fbea666593e6a1e54c73b0ca8e2c79d957ee51eb4318abd3a3
SHA1 hash: 60a5874a354152eacf09aa29e14a81d8ba989837
MD5 hash: a42d0e7607c4abfc34bd1bfb842da792
humanhash: table-edward-cola-violet
File name:swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:440'320 bytes
First seen:2020-05-16 11:20:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:P8GfyJxztRtP2P5+GoooRG3CTBafXOJR9sS7q9jWc28QpztYZfN6Llz4QW0RL:P9aBR4h+GpoRB8XOJzzOdWL4JN6JzdL
Threatray 10'943 similar samples on MalwareBazaar
TLSH 5C94010C769C7A17CABC0AFAD4725204D3F196A263E3E7DD8CC6A0EA55D67D10B129C3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: info@apexchemicals.co.th
Subject: Re:Urgent! confirmation of Invoice/payment
Attachment: swift copy.rar (contains "swift copy.exe")

AgentTesla SMTP exfil server:
1st-ship.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Mbt
Create hunting rule
Status:
Malicious
First seen:
2020-05-15 20:56:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=serw3jm4sxoxmt4fvbbjoi4pefppbtj5b66dp4vc6fos6mbofx6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4f81b89148442875962b35680334d7fc7b5827ad3764891fa990552fe77ea28d
AgentTesla
77642de174198cae37f2b0ce29eb087f138800df44a79bd0e589962e9fc64e36
AgentTesla
786be13603b06cce80fac1349c514e29ecd2664a51f045bc5446d2f9647087ec
AgentTesla
78dc559f3c971bf8fe5eb3f669a3b8de8c18313d2c466916fc32fd27ea352700
AgentTesla
8d339c015c4ffe14cd28f423625d45313081c61585ced94f822c7759a7226086
AgentTesla
93d5e54bc0eedf04d893416ef597e0c833c7d7870f9f793fdd7e5f1b23382273
AgentTesla
974edc62c329ce314f5c8c745cd145779db4c5a5d46188def7351cf11be83eec
AgentTesla
b2fcca31796bd8b38cadccf730710c298c702ab07e24b5d90e691ea047395026
AgentTesla
f0996fd1f27a193c71c2384d7a760b3db419a52033707d10f55283c9d2ea147f
AgentTesla
f518f0a8e6238b33a99b3c030da878a1230d278dff2cac740c2a6c089b7801b3
AgentTesla
+ 10'933 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-hhw6el3gs6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar f6a4363fe8dd1ee4ddd7c7c93c78d175bd317187fec1e5b7b3bbe9b210127fd8

AgentTesla

Executable exe 91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd

(this sample)

  
Dropped by
MD5 b0b28c75c8c7d8ea129b3d943c4f6d78
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f6a4363fe8dd1ee4ddd7c7c93c78d175bd317187fec1e5b7b3bbe9b210127fd8

Comments