MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
SHA3-384 hash: e2e9e86db116c562c340085278d4057b5715bb34d3c2eddbc3b10df89a684399cf11a460ce741ea17529ef8754399f83
SHA1 hash: 3c050ee749208228e0b65d72053e0bb8fd59d156
MD5 hash: 5cac63a7e3c8c80463c7351e97a08e24
humanhash: moon-sink-four-timing
File name:Bank swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:607'744 bytes
First seen:2020-10-22 06:43:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:9/8r3ePugYAUgTT81wYkiD+6OPu59A1GKZHNYPzod:pBYXg/826D+fPAA1GUKzod
Threatray 727 similar samples on MalwareBazaar
TLSH D6D4012475A9BB33E3BE8BF6346C040993B5255E53B2E3644DE376EA6D90B048BC0D53
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74478/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506659
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 302504 Sample: Bank swift copy.exe Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 10 other signatures 2->64 7 Bank swift copy.exe 6 2->7         started        11 YYtJku.exe 5 2->11         started        13 YYtJku.exe 2->13         started        process3 file4 42 C:\Users\user\AppData\...\JphLAgKXbJKy.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp4471.tmp, XML 7->44 dropped 46 C:\Users\user\...\Bank swift copy.exe.log, ASCII 7->46 dropped 66 Injects a PE file into a foreign processes 7->66 15 Bank swift copy.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        68 Multi AV Scanner detection for dropped file 11->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->70 72 Machine Learning detection for dropped file 11->72 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->74 22 schtasks.exe 1 11->22         started        24 YYtJku.exe 2 11->24         started        26 schtasks.exe 13->26         started        28 YYtJku.exe 13->28         started        30 YYtJku.exe 13->30         started        signatures5 process6 dnsIp7 48 us2.smtp.mailhostbox.com 208.91.198.143, 49755, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->48 38 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 15->38 dropped 40 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 15->40 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->50 52 Moves itself to temp directory 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 3 other signatures 15->56 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 26->36         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 05:15:32 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qrgmxobj3abtkpyyqq4sog3lf6cug46iooeucqlnxd3cmyoow4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
AgentTesla
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
AgentTesla
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
AgentTesla
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
AgentTesla
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
AgentTesla
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
AgentTesla
9a6e3d08a19f78c4910503262e775bfeda3c3b53ea5e86e5430e1d4b4c92a6f8
AgentTesla
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
AgentTesla
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
AgentTesla
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
AgentTesla
+ 717 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201022-xe3szxgenj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
MD5 hash:
5cac63a7e3c8c80463c7351e97a08e24
SHA1 hash:
3c050ee749208228e0b65d72053e0bb8fd59d156
Link:
https://www.unpac.me/results/28ae9371-e6dd-45b3-85dd-b22d84d90572/
SH256 hash:
9dcc26a76dff1275f8eba3f75126b06ca9c7d9ecda1a764a4ef0525031539d65
MD5 hash:
b0d73505876b2dfd425e0807f5aa38e7
SHA1 hash:
f10ab23da2573aa23a723b27012bbad4b11a8a3d
Link:
https://www.unpac.me/results/28ae9371-e6dd-45b3-85dd-b22d84d90572/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z bf82c8b84cb2e5b7cf0b29f63ecfa0d598a8e3bf42d89b4f13c0cf5966640a70

AgentTesla

Executable exe dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8

(this sample)

  
Dropped by
MD5 2aafc86fa0a5216efa26d484e1eae354
  
Dropped by
SHA256 bf82c8b84cb2e5b7cf0b29f63ecfa0d598a8e3bf42d89b4f13c0cf5966640a70
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74478/

Comments