MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a905a0785d3fa357974e3f94754c6bad02bdbfb4083fb5509161523c5b2ffb56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 11
| SHA256 hash: | a905a0785d3fa357974e3f94754c6bad02bdbfb4083fb5509161523c5b2ffb56 |
|---|---|
| SHA3-384 hash: | 534b4078bcd37b226cf9b5c2a30d8cb3c4ae236f0d489ddf8f3608a801c82dd74a74e751340b364796d9b1df95937421 |
| SHA1 hash: | 7c395f76f03deccbb6f8167d668051100734663f |
| MD5 hash: | 897650b1b6601aaf5aa22f2b8193e332 |
| humanhash: | twelve-mississippi-iowa-five |
| File name: | Ziraat Bankası Swift.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 929'792 bytes |
| First seen: | 2023-03-06 15:45:50 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 24576:s1Qwe3cOQZ2Q4lmLTMJjly/Ywwm6J83AsK:sBDWmOlHHmosK |
| Threatray | 1'296 similar samples on MalwareBazaar |
| TLSH | T15C159E9132B1D4B3F5CB017564287ACC2D7CB143B6D8F24B6A777AC09601ABBF6A8D11 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe geo TUR ZiraatBank |
Intelligence
File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ziraat Bankası Swift.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-06 15:49:43 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Verdict:
Malicious
Result
Threat name:
AgentTesla, zgRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Status:
Malicious
First seen:
2023-03-06 12:26:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 25 (80.00%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 1'286 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
218129c920a2a4d3c8cb487ce92ca7382d9c07ca9693ff250cf4b2b3460acdce
MD5 hash:
675e66d08e5065928d67bee3b48a4625
SHA1 hash:
df2f738bbd912861df2ce918e9bd75f472eb9693
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
SH256 hash:
a2aafddab896bd345d8647fd4e70bad877b3a90bca8a979fe7aa02fb9fda96e8
MD5 hash:
7de908ab89cd4162ccd2fee8f5c6432d
SHA1 hash:
55e67b043de5e81aff7d461fbd610b89f85f8d8f
SH256 hash:
669f8e5615fe13f6386ce280127e84fac5740ef1638ed25a8e8fba5a753da6e9
MD5 hash:
1be776b9b5685748d2f589041a4fdb32
SHA1 hash:
00d69cc97ba8c0abb74efcd38e08f2aec6276194
SH256 hash:
a905a0785d3fa357974e3f94754c6bad02bdbfb4083fb5509161523c5b2ffb56
MD5 hash:
897650b1b6601aaf5aa22f2b8193e332
SHA1 hash:
7c395f76f03deccbb6f8167d668051100734663f
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.