MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fd87c4851eec32670acf7363dc1e49c2ade5ae19fc43b610e73776017575599. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	9fd87c4851eec32670acf7363dc1e49c2ade5ae19fc43b610e73776017575599
SHA3-384 hash:	e0fef72bae9a2268faac518a36c48374b3bea134066ca430046f6ad96bbb2ecc4b076ddc46d7d820fda3b755175fb75d
SHA1 hash:	1747bfabecacdfdb2a022d419962ecfccfbd199e
MD5 hash:	92c0cf5d5a0898509042870a9bf1be4b
humanhash:	cold-network-foxtrot-undress
File name:	TT-SWIFT COPY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'020'928 bytes
First seen:	2021-04-16 06:42:45 UTC
Last seen:	2021-04-16 08:01:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:b2FZisQeCH9tw2bgMpta0I7aDRtXuwsZPfSM4HbGjN+fsmhNbsCh/ajuR:iFZAkMptFOabuwo
Threatray	4'580 similar samples on MalwareBazaar
TLSH	B3257D9C3650B9DFC85BCD36DA981C64EA10A4B6470BE303A09716AD9E0DADBDF141F3
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TT-SWIFT COPY.exe

Verdict:

No threats detected

Analysis date:

2021-04-16 07:06:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1d17a525-a199-4d4b-83e8-66962f874385

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/135879/

Detection(s):

SecuriteInfo.com.Artemis92C0CF5D5A08.14271.7081.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/679814

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9fd87c4851eec32670acf7363dc1e49c2ade5ae19fc43b610e73776017575599/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-04-16 06:43:16 UTC

AV detection:

17 of 47 (36.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7mhyscr53bsm4fm643d3qpetqvn4wxbt7cdwyioon3waf2xkwmq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1

AgentTesla

4231c38aadd1c59f0270408e841f773c1e17bf1e45f02d20f440d1c82413ec5a

AgentTesla

448fd07b6733645189dad688e8e49f02bbf01cb4f530f02ae2b63e933ff602b1

AgentTesla

5beeb9bd442d8be1b27a6a1e11d52abf7e3b1ed183bc10e636f2c885704d6dd7

AgentTesla

7b3834838c8089d4af4508d5961ea134c7ae331dfe350381f38fb6ffda679726

AgentTesla

cf239112a4bc5542b355e765ef8a5a139824fdeed307c3ff7821094d09577f1d

AgentTesla

db5e220fcf9c0a4f920ffae85664ea17a2dab6ab8b279754f7057e45995c0b6d

AgentTesla

e76dd82a5ddf176a492b469ece27f7614f6c44d1d44751139c92ed2851aef9bb

AgentTesla

fda54eeea2a6d50cd24797baaf2d7e2a7293a29f8f256c211f90c15349ddb8b5

AgentTesla

+ 4'570 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210416-w51rrsrvmj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

c444f99db84753b8a817490d4639337bd754bc8106d24642337efe5979d1408f

MD5 hash:

ae9bf15778e25036db3888244b7f57be

SHA1 hash:

ea4782b4d48d51036aa0e53528386626c4174abc

Link:

https://www.unpac.me/results/25d41422-3e8a-4ed3-92b8-d7a2a60eb883/

SH256 hash:

5df4382bed682ab0e57cb7a4cd920039f9b4c7393cc499f9f64adc5d5777644d

MD5 hash:

0403664e1e2396339cb319670b1d60d1

SHA1 hash:

e59d27d433703b9da5d7f2a473d52fd6206a133d

Link:

https://www.unpac.me/results/25d41422-3e8a-4ed3-92b8-d7a2a60eb883/

SH256 hash:

fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5

MD5 hash:

8b603b23caf00139206f293eb741a9f0

SHA1 hash:

1cc90aec7ce07b13930fe0c088fe3cd155b3ea07

Link:

https://www.unpac.me/results/25d41422-3e8a-4ed3-92b8-d7a2a60eb883/

SH256 hash:

9fd87c4851eec32670acf7363dc1e49c2ade5ae19fc43b610e73776017575599

MD5 hash:

92c0cf5d5a0898509042870a9bf1be4b

SHA1 hash:

1747bfabecacdfdb2a022d419962ecfccfbd199e

Link:

https://www.unpac.me/results/25d41422-3e8a-4ed3-92b8-d7a2a60eb883/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9fd87c4851eec32670acf7363dc1e49c2ade5ae19fc43b610e73776017575599

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/135879/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample