MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c
SHA3-384 hash:	8740eae5d669429d4b5f988f8df1ff62923b7c8e3f2e8c8394ed499df13ec9c196489dcab7f34138c9fc421dd5570f76
SHA1 hash:	18f35b40f6b7032529809c51fbdff27f594ce0c4
MD5 hash:	d5b5dc61ab67fdcb65b5686a57a088e0
humanhash:	skylark-lion-zulu-ceiling
File name:	Swift Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	749'568 bytes
First seen:	2020-10-20 08:41:26 UTC
Last seen:	2020-10-25 18:42:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	12288:5MjMe2iNeRLzROZ+aXXZTqoZ8huTbjEvRDXNOPAIUxqeslQdzgmT77LUH:5s1UU+a5eoNHEvFgHUxzYQdzgY77L
Threatray	667 similar samples on MalwareBazaar
TLSH	FAF4E1B122F89F26D03F9779143461418FF5E413C752E6A9BDCC52AA0FA6B924723B13
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: vps.akhtargroup.com.bd
Sending IP: 50.31.147.37
From: Zhonglong Materials Group Co., Ltd <sales11@zpigments.com>
Reply-To: purchasemd@yandex.com
Subject: Zhonglong's Greetings from China/Swift Copy
Attachment: Swift Copy.zip (contains "Swift Copy.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/73384/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/497401

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-20 02:07:28 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=twwiyymkahdvus4ldytljiyzrsbs3arquv4i7mom6hrorv6yaaoa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

21e5114a7f07c582b74a78a0e3cf75ac751f4b3adeb609bda84d5755a6b5c2d2

AgentTesla

2c4f7516214ad84b31d2468ff496720193ea743bdb260287e2ef9ec48014b493

AgentTesla

312b49a82f8571c6c85b8322115dd46980e9005010c8e3c1d2fa27b0cb1ff0a5

AgentTesla

727e1f0aabc7d8fb68f756541bd8797dd810c2b3ab684ae6e53732e461425f20

AgentTesla

818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e

AgentTesla

a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04

AgentTesla

ad8aeed2d546163aa0b5cbfb430bc9a02896645be4a51cb654083ce18ab853bb

AgentTesla

c43cecf1b4a2303d2eff66ac49e4539aaaac2605373b98bb03c2867d79f0a784

AgentTesla

d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e

AgentTesla

+ 657 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201020-2rlg5rbsex/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c

MD5 hash:

d5b5dc61ab67fdcb65b5686a57a088e0

SHA1 hash:

18f35b40f6b7032529809c51fbdff27f594ce0c4

Link:

https://www.unpac.me/results/44ab6e23-854d-48b5-a12a-7ac5cb24780a/

SH256 hash:

e15f40fb81885644f2a9b5b20c73feec253080667de403a3ce425179a02fb292

MD5 hash:

250f194d7d95ba88909a775798ac969a

SHA1 hash:

8535eb2e56be22011277f17d1fe604a28f5bf5d5

Link:

https://www.unpac.me/results/44ab6e23-854d-48b5-a12a-7ac5cb24780a/

SH256 hash:

b905308a43bb5d41b04f812e38084fe2884d281082b061566c2ae45b685ed241

MD5 hash:

43764cbed874115ee4075be2bc38614e

SHA1 hash:

95483838143999177de9025f38d294c75d49dfb1

Link:

https://www.unpac.me/results/44ab6e23-854d-48b5-a12a-7ac5cb24780a/

SH256 hash:

5c13a844943fa261cde5962641592f65ef46eb92ff625e7a69f9e378a1511f5a

MD5 hash:

77ad1c7e2590275be6d06e26d955bca7

SHA1 hash:

b0fde1cf30ede56eed020b4748f7ba03da0a133b

Link:

https://www.unpac.me/results/44ab6e23-854d-48b5-a12a-7ac5cb24780a/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/44ab6e23-854d-48b5-a12a-7ac5cb24780a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 84c677b854c6b710f5b9cf64d0f1a077302199ede566c90da69792e11ef40349

AgentTesla

exe 9dac8c618a01c75a4b8b1e26b4a3198c832d8230a5788fb1ccf1e2e8d7d8001c

(this sample)

Dropped by

MD5 e9ff1f778a8af2eede393ecc07ef9b7e

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/73384/

Dropped by

SHA256 84c677b854c6b710f5b9cf64d0f1a077302199ede566c90da69792e11ef40349

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample