MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2b6095c45460733b8abddc5568ffc5f3090f9d6e3d2bb435eeaa81dd99a5296. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	a2b6095c45460733b8abddc5568ffc5f3090f9d6e3d2bb435eeaa81dd99a5296
SHA3-384 hash:	213e82be3e9cb2e5b3945654545b25d30313abd97cc0cccdf43fe08a9830d4929c65407574757cd51657bbd28ec1c2d0
SHA1 hash:	debfc6dbb9404b683641b5146f271df43bdeb7c0
MD5 hash:	5da81538b635dc37730582491562e482
humanhash:	lamp-kilo-fish-massachusetts
File name:	SWIFT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	697'856 bytes
First seen:	2020-10-02 14:10:37 UTC
Last seen:	2020-10-02 14:58:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a1e5711bc737acfb9c62f1037872bc25 (2 x AgentTesla)
ssdeep	12288:TjBQofmNv8Y2hdFXsnlnOde3+JGDXwLZT0ljL+7LzSD4dqaN1y:5QZb8VCr3+EgejlsQ9
Threatray	1'902 similar samples on MalwareBazaar
TLSH	B8E49F37F2E04C37C1271A389C1B5B78AA39BE103968B8467FE9DD485F397917429293
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/67759/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

PUA.Win.Adware.Webalta-6912039-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/480304

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2b6095c45460733b8abddc5568ffc5f3090f9d6e3d2bb435eeaa81dd99a5296/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-10-02 14:10:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uk3asxcfiydthofl3xcvnd74l4yjb6ow4pjlwq265kub3wm2kkla._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

24d8632d58bfa7019f691346f9715cef64dc11887fc5140054ecf5b422f1f68d

AgentTesla

5cc630d698e1051fbb93f828b3d7d39d933b044b5dbd889ca88e0eb73b76d5c5

AgentTesla

7a3879038204d61be582004425e7f0772af3eae39a2c8770f955c52ac5729388

AgentTesla

99d8aa2226c22f96aac10d32c9feb6ffff2e399786e1e31304b7b5f31bc176c1

AgentTesla

a833610433fa6de56d1c2e78655d3369cb43d87f856a68a20dc27d58794d791a

AgentTesla

a921089f3327d511043c7feffed9985bfb3a7ca5ee43e0724c344ad8cb63fbf5

AgentTesla

b394a0c32dc0f5da39a67a1fabc770734b27b69c763a8b94265aab41e77ce57b

AgentTesla

cc5b616ee151f836fb52d686f978123c5427d27f738baaea8583e791f9742686

AgentTesla

d0ced70a4b700dc5e0905bf3743a224ac4722139d7507e367c32880c72ecd048

AgentTesla

+ 1'892 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201002-3l4k6qfclx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

a2b6095c45460733b8abddc5568ffc5f3090f9d6e3d2bb435eeaa81dd99a5296

MD5 hash:

5da81538b635dc37730582491562e482

SHA1 hash:

debfc6dbb9404b683641b5146f271df43bdeb7c0

Link:

https://www.unpac.me/results/37f25fbd-00ae-4b08-b049-95ea2993a141/

SH256 hash:

7e2a160d1a66c4dacd8737be67182d64dd8c3bb6edf1c69c5343a5f3bbe30416

MD5 hash:

3a4083aeef60fde5f5980a30843cb80c

SHA1 hash:

6c3fd09cd3e01ef03f9a954607865e63d8fec2bb

Link:

https://www.unpac.me/results/37f25fbd-00ae-4b08-b049-95ea2993a141/

SH256 hash:

a66965d75795b24a0aefac490e1dd3ae43f9fd5f78e2a1af17b97b7a1b39738b

MD5 hash:

ec71d437943d4c0078c01c9a7f9eba01

SHA1 hash:

f0251c118e1f1c0fb5f93c5445807860e59442c5

Link:

https://www.unpac.me/results/37f25fbd-00ae-4b08-b049-95ea2993a141/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2b6095c45460733b8abddc5568ffc5f3090f9d6e3d2bb435eeaa81dd99a5296

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/67759/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample