MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5
SHA3-384 hash: 2a6c2af1115af78d23f66060b18a8a58094d562b67a912bcc1724ad744c7e7ce78161b1a982227e9f4fb3e1915d68076
SHA1 hash: f0843ea015f166b91a2dcef3bfb719df9afe13d0
MD5 hash: 0de826fde59e7651e44b5d76d740b758
humanhash: edward-fourteen-dakota-king
File name:SWIFT_XV5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:283'673 bytes
First seen:2021-03-05 06:39:23 UTC
Last seen:2021-03-10 13:54:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:l8LxBjo+ys5gnF2k4gMLTBjPVZ5UlIlU0OttvpFi/w3pQ:0JY2X/nhPVnUQOtZbiUpQ
Threatray 2'889 similar samples on MalwareBazaar
TLSH 0B54127636C3E8AFE1D282B4457BBB2DF37772041211928797FDADBF2A001265F1A452
Reporter fabjer
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT_XV5.exe
Verdict:
Malicious activity
Analysis date:
2021-03-05 06:42:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19998b61-45df-4087-b85a-b355091dbf68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122403/
Detection(s):
Sanesecurity.Rogue.0hr.20210304-2306.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629452
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 363698 Sample: SWIFT_XV5.exe Startdate: 05/03/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 8 terryfund.exe 11 2->8         started        12 SWIFT_XV5.exe 1 13 2->12         started        process3 file4 29 C:\Users\user\AppData\...\ugbfayk1gzog.dll, PE32 8->29 dropped 55 Multi AV Scanner detection for dropped file 8->55 57 Detected unpacking (changes PE section rights) 8->57 59 Detected unpacking (overwrites its own PE header) 8->59 61 Machine Learning detection for dropped file 8->61 14 terryfund.exe 12 8->14         started        31 C:\Users\user\AppData\...\terryfund.exe, PE32 12->31 dropped 33 C:\Users\user\AppData\...\ugbfayk1gzog.dll, PE32 12->33 dropped 63 Maps a DLL or memory area into another process 12->63 16 SWIFT_XV5.exe 2 12 12->16         started        signatures5 process6 process7 18 iexplore.exe 14->18         started        20 iexplore.exe 1 60 16->20         started        process8 22 iexplore.exe 32 20->22         started        25 iexplore.exe 68 20->25         started        27 iexplore.exe 32 20->27         started        dnsIp9 35 140.82.121.3, 443, 49730, 49731 GITHUBUS United States 22->35 37 185.199.109.133, 443, 49734, 49735 FASTLYUS Netherlands 22->37 39 github.com 140.82.121.4, 443, 49709, 49710 GITHUBUS United States 25->39 41 avatars.githubusercontent.com 185.199.108.133, 443, 49715, 49716 FASTLYUS Netherlands 25->41 43 consentdeliveryfd.azurefd.net 25->43 45 192.168.2.1 unknown unknown 27->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 18:54:43 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6cqerdqutkg5rztg6sdngghiodyko56kagh3cj65vdxgdnb5tkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
AgentTesla
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
AgentTesla
4ee463200a2e23f5f8cd27820da94a17de71dfbcdd4793524262d6ab2099b44c
AgentTesla
52b5f2f95b1200b20a6f3adfcb93c6f87713155f83176dede353ee158c7c1b63
AgentTesla
79e70809a85e291f9da3d391131208ce7645dd512eb6bb71811154b43da23222
AgentTesla
7c201535a28746b62adfa831cfccac096903f5b17ee83b8364fc890fa70a59fd
AgentTesla
ae1101f81ed495b405d0f80d678da0a6eff8e2f9c432734302ffb764b215de0a
AgentTesla
bf645fad6cb23a9422e58a642b223a5d6a2dfc616c7480dfdd02393838f399b5
AgentTesla
c67a752275a99a0ba74a93e5a715a591ad9db9eb010759cdf41b1e7df980e84d
AgentTesla
d092a60d031f2dfa8d009742db3f7d78d34d817f9c6be57a7b21469203a48dc3
AgentTesla
+ 2'879 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/210305-91kyvhhbej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
bbe8061a53202f618c30d2b2f698c29fa771f1feb60f61461d4a6d337a2e6022
MD5 hash:
15ae1ad5f488867de5b0b55e3f860e58
SHA1 hash:
ca94a0832a74f330f611d99f2dc46c25fc8886e3
Link:
https://www.unpac.me/results/fffb31b9-b4c7-473f-81d9-08aafe3ecb68/
SH256 hash:
b18cb9f2f3b8d529860b8664f6f7de4ce81a379f138a529601613a771e0de0b0
MD5 hash:
55a958bb56295839b91cb725073e9d61
SHA1 hash:
7735ffa86d6dbdf4749c5d6112dea4be401d296b
Link:
https://www.unpac.me/results/fffb31b9-b4c7-473f-81d9-08aafe3ecb68/
SH256 hash:
e44e27827e7d324f2a95f1f168b3d8c5fb1a5a317744388058911f8dbc630177
MD5 hash:
0f1fcceff4f338e99089d864b24fd18a
SHA1 hash:
0b4dad00c404470bca8cc8e07f8720887fb4e874
Link:
https://www.unpac.me/results/fffb31b9-b4c7-473f-81d9-08aafe3ecb68/
SH256 hash:
9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5
MD5 hash:
0de826fde59e7651e44b5d76d740b758
SHA1 hash:
f0843ea015f166b91a2dcef3bfb719df9afe13d0
Link:
https://www.unpac.me/results/fffb31b9-b4c7-473f-81d9-08aafe3ecb68/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso a4704a20091e3e272c77514a29dee6f5995317fec867eebc0159dd41cb0e747e

AgentTesla

Executable exe 9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5

(this sample)

  
Dropped by
SHA256 a4704a20091e3e272c77514a29dee6f5995317fec867eebc0159dd41cb0e747e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122403/

Comments