MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5
SHA3-384 hash: c4a884be8d6cf71007cd71ee13da1a1a997aabe6493147a90b5ff285f44d2990b016cb4cc1bc40a6cc88255a20bed20c
SHA1 hash: fbc50b4fd607799ecbac04ec09b3a0cd69a8df46
MD5 hash: bc8a66620e6f6f549beffd0cbbc3b722
humanhash: delaware-delta-neptune-missouri
File name:Swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:896'000 bytes
First seen:2023-06-20 06:27:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+NcHCYtYq7J3At5iHOq+ZQkGHp9Q8rCAZdw16xw+oSdIkgOZa0Umidcs:qQYqtm8OqKUQ8rJySdIx1
Threatray 3'066 similar samples on MalwareBazaar
TLSH T17215E0203AB80F57D47D97F90151A23117FA9A6A783ED3584ED3B0DB2A62F410E92F17
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift copy.exe
Verdict:
Malicious activity
Analysis date:
2023-06-20 07:01:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cc8630c3-1176-4c7f-b73b-8fdfeba2ec29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400823/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/649146f73067ea15b65681ee/reports/a194d081-ab83-4da6-bb87-c344d6fb9e65/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/79f85a2b-1f0d-488f-ad1d-b820cf576726
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1258463
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 18:37:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3vqic46ucanluzg5t65aqu43bzm4citrryowklvim7t7gdyvx2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0deabb80746cb8ebdec5671801426c6b2dd5862398ff79d3db94bb8a95a3a459
AgentTesla
1f1987c42f73ffac95703d0f7c9445819e46f1471eb6049a51b66e0c7e730804
AgentTesla
3884e567629d6433ebefa10b2e6d53a27f7b19c9d2e1c4ca7126fc4ceeda230f
AgentTesla
39893af7f960c76c20ab2b99e5caa2acabab3c7fc01e47791586f451eba5be5b
AgentTesla
3d0816e876a59f4e3b56bd2105122ef69499f79bab375b0956716494eb286dbd
AgentTesla
3d9b67b5dc857a2663548b9335d48dde0a880f6b61490f0cced767399a166f2b
AgentTesla
c3706faf1e9a38c879ec449a50da90aafcae01787b0e56962519d3edac1d6b42
AgentTesla
d3fa8bd6b585950b90a820e54ce4b98e306dba962498f7f098ebd811dfdc735f
AgentTesla
f2927830e4233d9249db711122cafe8f85bf91afa44409b63aacf64b28176356
AgentTesla
f8c91d5c6dd452a15af5ecaf3ac6c9c076955708fc351ae4b8e2dbda928043fa
AgentTesla
+ 3'056 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230620-g8bz4abe9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
AgentTesla
Unpacked files
SH256 hash:
52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1
MD5 hash:
c785ddc46141af772c75101d17c46a41
SHA1 hash:
e248723b6f60cc7607980d07172b64c33b2b2f15
Link:
https://www.unpac.me/results/16820d3c-4f2b-46d3-985f-bd9a53f61520/
SH256 hash:
4762ce0d59996617528ba0db74da76fe53f4ccb577bbe2f6ecc1207edd457169
MD5 hash:
c83675485663b1e277974d89307df580
SHA1 hash:
c68230565799621e66fed38835e2efcce13423da
Link:
https://www.unpac.me/results/16820d3c-4f2b-46d3-985f-bd9a53f61520/
SH256 hash:
24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6
MD5 hash:
64fcc151459a284a183dbbc044aa2142
SHA1 hash:
a33fa55f857e654bb5688c116680217e673bb600
Link:
https://www.unpac.me/results/16820d3c-4f2b-46d3-985f-bd9a53f61520/
SH256 hash:
78225b1e6763748122a4464e80eeac7fadff18950e612b7c5e793e403e460efb
MD5 hash:
07a1c33941207d48c20a92f7856fa39e
SHA1 hash:
835fd262e99a3e4d82761ef395874358288270e5
Link:
https://www.unpac.me/results/16820d3c-4f2b-46d3-985f-bd9a53f61520/
SH256 hash:
811a973c5c49941bf156966497407f10a8a64a183b9caa1baffdf7f3d0c655df
MD5 hash:
37c269347524e9cbb2d28fd1e83c397f
SHA1 hash:
528b1f699b758f1709fb27be1c16f81cb46f37ec
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/16820d3c-4f2b-46d3-985f-bd9a53f61520/
SH256 hash:
beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5
MD5 hash:
bc8a66620e6f6f549beffd0cbbc3b722
SHA1 hash:
fbc50b4fd607799ecbac04ec09b3a0cd69a8df46
Link:
https://www.unpac.me/results/16820d3c-4f2b-46d3-985f-bd9a53f61520/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/beeb040b9ea0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/beeb040b9ea080d5d326ecfdd0429cd872ce09138c70eb2975433f3f9878adf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400823/

Comments