MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6eae805f732c5c0c2166231af84295978fbcfb8d8130aebf78fd95cde18167a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6eae805f732c5c0c2166231af84295978fbcfb8d8130aebf78fd95cde18167a
SHA3-384 hash: 4d559164465a671a96b2f863ebbc887e4e6b745c71842fcd80f635dd938883eac5db8855522adec894bc16ddec655471
SHA1 hash: db3e71e8d3b2a78a0ec8c83398637d4b2c0d57b8
MD5 hash: 744eb91ee8457faccf6e25ab7f4297cb
humanhash: bakerloo-tennis-thirteen-grey
File name:SWIFT_ADVICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:599'040 bytes
First seen:2020-10-15 12:11:43 UTC
Last seen:2020-10-15 20:42:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:gaDQ/7uNQtgTPrv46g26VOfL8olbtPKSUXmDo2b+h28c++dtzV1/6SHjJosmJVsj:gaDQD/tyPr0OACOXmYLyLZ6Y1vhN
Threatray 566 similar samples on MalwareBazaar
TLSH 46D4D0226399AF75F17D677A24B1205047F5B142E322EB0E3EE952CC58A2F405B33B5E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: worldbank.org
Sending IP: 95.211.208.25
From: DBS BANK <aalatabani@worldbank.org>
Subject: PAYMENT ADVICE NOTIFICATION 14-10-20 (DBS
Attachment: SWIFT_ADVICE.iso (contains "SWIFT_ADVICE.exe")

AgentTesla SMTP exfil server:
mail.grandtours.gr:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71367/
Detection(s):
Sanesecurity.Rogue.0hr.20201015-1005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492342
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6eae805f732c5c0c2166231af84295978fbcfb8d8130aebf78fd95cde18167a/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 07:40:40 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=23voqbpxglc4bqqwmiy27bbjlf4pxt5y3ajqv27xr7mvzxqycz5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
306dc076ebd63fe8d969a99984470c480737e86eba1fb55ebe1ef49a8b987565
AgentTesla
44de8368a07efe44888bfe4b83a307c6002a0c4202a02150d884248c8b8ae75d
AgentTesla
5c5ebd97c48cdd89aeaf3977c3f7951b5351e88c6e88e09627357fc1e1226c22
AgentTesla
9a55c48d0f35b724b84edcf878ab46d8be542560d5cae69c3c3bee1cee2a2bc4
AgentTesla
a183a94f7c049de1770e76be272a29e0ec7b3b4344ef5c4dc2fe9ddd5962b5bd
AgentTesla
be277d6a90d21afd8f3ba568d694850f7ce2067fb21c688e321103a3f4e8f80b
AgentTesla
c78749f27a5254383077b7a5b782bc47dcc34401b6acea6ca680f5680ebebf2b
AgentTesla
cdd24be26b9898cde599ec3163d3b4bec147ceae656616d3a21d46fa5ab8a8a8
AgentTesla
d3473a3e73cf0e6c3d25f6631d4b4929f25f14d3997ab4a64f51530314dfb4d3
AgentTesla
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
AgentTesla
+ 556 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201015-4ad9m5ard2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d6eae805f732c5c0c2166231af84295978fbcfb8d8130aebf78fd95cde18167a
MD5 hash:
744eb91ee8457faccf6e25ab7f4297cb
SHA1 hash:
db3e71e8d3b2a78a0ec8c83398637d4b2c0d57b8
Link:
https://www.unpac.me/results/1d8c82d9-34d9-4c7d-923b-0e63b7fe3d1f/
SH256 hash:
2ff00a996ebc01db1c6d2a79939fc3594ad753c34d2b90c3a73749cb6bda49a1
MD5 hash:
e9ce22d1a49710f0215ee5b8642af2b4
SHA1 hash:
0fc68a7dc5011749f2b9a1b166dd3fd44d2204f7
Link:
https://www.unpac.me/results/1d8c82d9-34d9-4c7d-923b-0e63b7fe3d1f/
SH256 hash:
b04fa9fb38cc9d21aa431c253b9f35c4e5b14ab199ecb59085df65fd20abe57f
MD5 hash:
c94a19dc5333703f12b16ceac1c2cc12
SHA1 hash:
468753ad36b9655554ac6533aa03806a07d7f754
Link:
https://www.unpac.me/results/1d8c82d9-34d9-4c7d-923b-0e63b7fe3d1f/
SH256 hash:
2fc6908a7dec1ee45e765fafa6a0937eaedc8c25c0b983ac3fb64f8e35b55e41
MD5 hash:
89a7e69a75befcfdf73ebfe5d67d152f
SHA1 hash:
48b8af170f74ac72007d0083190767d301db841b
Link:
https://www.unpac.me/results/1d8c82d9-34d9-4c7d-923b-0e63b7fe3d1f/
SH256 hash:
469c8ff4eb52684812d13fc2f2384aea01f3c631702b16ad7bf2f0eaaa6f50d4
MD5 hash:
cecc890e93348a9479c641b6774384a1
SHA1 hash:
66d2fbe64eeeb26f4cf46f677821476299007b65
Link:
https://www.unpac.me/results/1d8c82d9-34d9-4c7d-923b-0e63b7fe3d1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6eae805f732c5c0c2166231af84295978fbcfb8d8130aebf78fd95cde18167a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso efafbcd8c1833e58202139b5877cffdafff021bcb0b8da527e984db8d5f87e38

AgentTesla

Executable exe d6eae805f732c5c0c2166231af84295978fbcfb8d8130aebf78fd95cde18167a

(this sample)

  
Dropped by
MD5 6fb991930bd01b52cce4ac22418c6e8a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71367/
  
Dropped by
SHA256 efafbcd8c1833e58202139b5877cffdafff021bcb0b8da527e984db8d5f87e38

Comments