MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c
SHA3-384 hash: 5db2a7c93f1b230bf410a92ff1d145645c83e15489f8d5951d0b4376f51c7c5133dffa7b3b34c726ddd182f742d102ab
SHA1 hash: ae74eadcb41c8662fc0ec8319bd8fdaabcf68631
MD5 hash: c53851f4f5da5ebaf1f67d3ab518478f
humanhash: whiskey-wisconsin-charlie-papa
File name:Swift_Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:903'680 bytes
First seen:2021-04-08 10:10:38 UTC
Last seen:2021-04-08 13:19:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:c5xIIK2eESixf0BN7gCfwCDLcGDrGplpUQYcUYusIKUvE+:c5iIVZM7gCfwCDLcGnMlpUQvU0Ic
Threatray 4'138 similar samples on MalwareBazaar
TLSH 7F1516E17118FB3BCC0006F26C9334E7CAB36C1B905EC7AD24E6A5D52C995A68D3F265
Reporter cocaman
Tags:AgentTesla exe SWIFT

Intelligence

File Origin
# of uploads :
3
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift_Copy.exe
Verdict:
No threats detected
Analysis date:
2021-04-08 11:50:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63b09402-37a3-470c-83e7-f1318602c4f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133167/
Detection(s):
SecuriteInfo.com.generic.ml.3959.29699.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669928
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383913 Sample: Swift_Copy.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Sigma detected: Scheduled temp file as task from temp location 2->31 33 Yara detected AgentTesla 2->33 35 4 other signatures 2->35 7 Swift_Copy.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\LkUhukiIiawSEs.exe, PE32 7->19 dropped 21 C:\...\LkUhukiIiawSEs.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpA681.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\Swift_Copy.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 Swift_Copy.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.yandex.ru 77.88.21.158, 49763, 587 YANDEXRU Russian Federation 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 10:11:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=syszyo4daaxeurvgnit7b6crbsldlecvxv6zyh4koi5b6ioxdsoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0626455807fad5c69df5158b623b2046f376024449d78dccc8c8c96c8ddc3614
AgentTesla
163794b39bdb816cadf7bd0c907b4760b613bccee38677b4d260835ff812a644
AgentTesla
30865d42d9897a6611df8683bc041836794cf6d7ee47763281fbed0f063a7c8e
AgentTesla
397a4259ce9f2c29c4435eafea79c35e36c34464510d6392fe4aa61c87fe07ea
AgentTesla
524306af2db603c7db95227603c3014b67c27cfb2f88d12de2a599ece24575e2
AgentTesla
56e676fae09b69a9eae221e0590776815f7fa38e7cc90822cd3060ea289d7547
AgentTesla
5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
AgentTesla
7d7e4540b714031ca16ac11a8f127e73f9e66fb013c5a675eb68d93b6af88d0f
AgentTesla
896a518b2db98d75130034be194d0c0295e00a5c310e068790599b69420b2f08
AgentTesla
a2d57fd326d83d00c7aa270df2145c200205a5e94637948db042a0ac20239389
AgentTesla
+ 4'128 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210408-m3twcgdhq6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
c5519ef771321d62260735c62622297b284e823d97b29eed0dae704d89bb4c5f
MD5 hash:
0158502a4a1ee47ae2abfe604f2fd748
SHA1 hash:
3dec24548c89d943f3fe9a4dd0b8663cbdcf6e0d
Link:
https://www.unpac.me/results/ff35e368-9dea-4880-a3e5-c5256e17126a/
SH256 hash:
96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c
MD5 hash:
c53851f4f5da5ebaf1f67d3ab518478f
SHA1 hash:
ae74eadcb41c8662fc0ec8319bd8fdaabcf68631
Link:
https://www.unpac.me/results/ff35e368-9dea-4880-a3e5-c5256e17126a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 390a81f1e882ad6f32a370f1bd4db3804d88567537f77457f1584a2c090e3dc4

AgentTesla

Executable exe 96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 390a81f1e882ad6f32a370f1bd4db3804d88567537f77457f1584a2c090e3dc4
Cape
Cape
https://www.capesandbox.com/analysis/133167/

Comments