MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
SHA3-384 hash:	c78c52c12a78abf2ff9c8dd3634c0f60737e4074679b8387b11cb1a0d7c524790296afb19d5bb52336ab3d338d24fc36
SHA1 hash:	526025c28d874c0788422b78376706b103f200a4
MD5 hash:	0c6728155fc24328dd4008a3ccd3c617
humanhash:	kitten-thirteen-mobile-asparagus
File name:	Swift Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'244'160 bytes
First seen:	2020-09-25 11:04:03 UTC
Last seen:	2020-09-25 11:41:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:0xOiZucOaCrYz4jEmW/g+jRr6xDIjm6/f8PtTH634q2vh26+hDvY:8OcyrKmW/Pd6O8Pp6o6b
Threatray	161 similar samples on MalwareBazaar
TLSH	9145F02031B67B09D1784BB00255B4B2C3B255267252D6987FE322FEA9F27C17E25F4B
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/65797/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.28771.8022.28523.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/475023

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-25 04:56:24 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wben575ocb4gztrp7y2s7rsbltkfjhcjkbptjymop7ecbv6sbioq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2f3474e57e4d3df1cedeef87e3716fa9143a63cf7ffdd9273273f41c8a8bc223

AgentTesla

3c359f5677b780cc968723ceca8310ed20ae4bf691bd9900c7d334303b101776

AgentTesla

67f34d4b77be0ba5396670f17546282fae9edd6493094d58f742190795d7937c

AgentTesla

778999d611a2a22f82d48b71e94588b86336376e30b07cb1c3f2230959cc10ab

AgentTesla

aaeb8dbb55dfc7eae9879ef959b1321b70c90784ed1c434cd4fd4583e92cf163

AgentTesla

c9692914eb11d2c1cfb26bae5877943c1769994f857f0aa85b8c8f5064a2f042

AgentTesla

dc4eaa151b01375e0ba2392396b60e6abebab99e5590c93ab23ee3063aba5eb5

AgentTesla

dd48b3a67ab61431928bff75ec0dd6a64bae646306b68109ef6e02afbf2e4d46

AgentTesla

e03c4f9c8ae0b28a7538315c3af97428339911bd6118371c0459adfd14abca44

AgentTesla

+ 151 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200925-k3y61hzfse/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d

MD5 hash:

0c6728155fc24328dd4008a3ccd3c617

SHA1 hash:

526025c28d874c0788422b78376706b103f200a4

Link:

https://www.unpac.me/results/eade6931-6426-4f2b-b318-8f9b429b38d2/

SH256 hash:

68791b7ed5b1dc48726d2f9a070df8cded58bb1b9c534bd04fe114a6b1b5f6c6

MD5 hash:

9a8f2ee507e7610a5c701e042e09742c

SHA1 hash:

23cfad6d579eb154f1eb5e7b110df1c419dcb48d

Link:

https://www.unpac.me/results/eade6931-6426-4f2b-b318-8f9b429b38d2/

SH256 hash:

729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f

MD5 hash:

ac3f427e66b28b013b0b651c2f71d1e9

SHA1 hash:

ddf8b4b1d36aced75740632b41d30add06b5db3d

Link:

https://www.unpac.me/results/eade6931-6426-4f2b-b318-8f9b429b38d2/

SH256 hash:

a396f1e835d25fdaf3441dccdac9b038fd13f9df7e21e210eb5335172525f78d

MD5 hash:

d16f71a8a6be015936913e121ef05f8d

SHA1 hash:

f4090e2fab65a874cee6b73addbb8848113f9deb

Link:

https://www.unpac.me/results/eade6931-6426-4f2b-b318-8f9b429b38d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 26adf3ba63f0675526591f96e80d809e5ce72ac2e589085618810d689a5acbe1

AgentTesla

exe b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d

(this sample)

Delivery method

Other

Dropped by

SHA256 26adf3ba63f0675526591f96e80d809e5ce72ac2e589085618810d689a5acbe1

Cape

https://www.capesandbox.com/analysis/65797/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample