MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf02bb3aa058cc571d6c3368f98a96fefa3db05a813ea479d002edc1c3cbdb95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	cf02bb3aa058cc571d6c3368f98a96fefa3db05a813ea479d002edc1c3cbdb95
SHA3-384 hash:	293c5907bfa5d6e3322325c5b3ef357547ded90d4d0d6ebb31d88c1c19fc70e1073b6066663cdda879c769ffccf0f8c1
SHA1 hash:	ebb26f4663e4e8bb77ffc804d2c4b78b041edeba
MD5 hash:	fe5efb8dae35b00ee308bcc28a895f7b
humanhash:	dakota-delaware-freddie-red
File name:	HSBC remittance Application.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'240'577 bytes
First seen:	2020-07-13 13:01:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep	24576:K5xolYQY67ivyudcBzOliBaw2xw6/czuvExn5zQff6:dYeIs2cznxQff6
Threatray	11'572 similar samples on MalwareBazaar
TLSH	7E459D22F6815037C5731A7C9C1BA3656D2ABD11EF28EC4B3BF05E8C5E7924274742AB
Reporter	abuse_ch
Tags:	AgentTesla exe HSBC

abuse_ch

Malspam distributing AgentTesla:

HELO: nsv62.dnshostmaster.net
Sending IP: 124.150.141.116
From: HSBC_Banking Corporation Ltd <info@stsgcc.com>
Subject: HSBC_Payment Details
Attachment: HSBC remittance Application.gz (contains "HSBC remittance Application.exe")

AgentTesla SMTP exfil server:
smtp.imp-powers.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Win.Virus.Sality

Win.Trojan.VBGeneric-6735885-0

Win.Virus.Sality-6747602-0

Win.Malware.Swisyn-7610491-0

Win.Malware.Swisyn-7610494-0

Win.Trojan.Kazy-304

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Setting a keyboard event handler

Setting a global event handler

Creating a file in the %AppData% directory

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Deleting a system file

Deleting a recently created file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Setting a single autorun event

Launching the process to create tasks for the scheduler

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun with Startup directory

Enabling autorun

Enabling a "Do not show hidden files" option

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf02bb3aa058cc571d6c3368f98a96fefa3db05a813ea479d002edc1c3cbdb95/

Threat name:

Win32.Trojan.Swisyn

Status:

Malicious

First seen:

2020-07-13 13:03:05 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z4blwovaldgfohlmgnuptcuw735d3mc2qe7ki6oqalw4dq6l3okq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

1934a48de415960438e676f1b9452a3aefcd2bbe4f0a57bb1b7b90cbf9a7f9db

AgentTesla

1badaedfef29ff3d768eb71cb739d45107d67a160244fb2b17a978f2202a5b36

AgentTesla

4850ce25c3caf99fc7f558ec6666d08c43d69ed4e1be9a8fd37f289db69561ab

AgentTesla

54c9ce578a123b2abbcb00af7638f3d1c93041959ebccf3981a099a869c5a171

AgentTesla

8ba346ef55492842883d94c08295af7efaa3631ecd87f311cdb9b82d5e100684

AgentTesla

96d15bb3fe99161d651573512abb94b55f9b88e72c3a34d52eb4ce7574da8db7

AgentTesla

99a98bc6f2caf5e6fe3e6ada1af35586392ea48a28bc601522bed98454cc6af6

AgentTesla

a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290

AgentTesla

fd2f15ef992f18f206d53d8d162ae4385f283e433bc038e1e61fb81686f2b4de

AgentTesla

+ 11'562 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla persistence

Link:

https://tria.ge/reports/200713-zcnem7j8ee/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Suspicious use of SetThreadContext

Modifies service

Adds Run entry to start application

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Modifies Installed Components in the registry

Executes dropped EXE

Modifies the visibility of hidden or system files

UPX packed file

AgentTesla

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar