MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc5fee6bdb6b8ee6e0a8992c7d4386c965b4a4ebae89b87d349602f0d3fba207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc5fee6bdb6b8ee6e0a8992c7d4386c965b4a4ebae89b87d349602f0d3fba207
SHA3-384 hash: cd9773b910c6a0bd0408a8b921d6a271fc9d5af9d951c64db62ea19570354dcd8d9d3921dbed0c00832078ae70ebb64a
SHA1 hash: a3e329714535b831ad30aa08cdd863a1bc1fa249
MD5 hash: 9c97426b60c68fde0b9d2f7141bb967c
humanhash: thirteen-mirror-london-texas
File name:pc1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:824'832 bytes
First seen:2020-08-18 11:44:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e877e52c1d0025820b0d8228acf49bf6 (15 x AgentTesla, 14 x Loki, 4 x Formbook)
ssdeep 12288:U+p7p8KESESHe4/gD6WDSqWl/LDGTGM5irKAKDkhV/jNM8Z8NwERv:PtRES4DBSq2KG2b/YhV/xrZev
Threatray 11'091 similar samples on MalwareBazaar
TLSH 6505AF26B2E0443FD167193D9D0B97B47839BE202E289D866BF55C4F5F3C68139392A3
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: swn0.pinotvineryms.ga
Sending IP: 134.209.153.18
From: "HSBC BANK " <info@pinotvineryms.ga>
Subject: Re: Payment swift copy 18/08/2020- Swift Ref:[SWFA31093538] / ACH credits / Customer Ref:[HX985310810741] / Second Party Ref:[24]
Attachment: Payment swift copy.IMG.iso (contains "pc1.exe")

AgentTesla SMTP exfil server:
smtp.visgring.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/47755/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dc5fee6bdb6b8ee6e0a8992c7d4386c965b4a4ebae89b87d349602f0d3fba207/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 11:46:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rp64263nohonyfitewh2q4gzfs3jjhlv2e3q7jusybpbu73uidq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0043c3f1ed670857f0a5d63148581c67c6878833bc767f194c77a6e9ddafb87b
AgentTesla
254920e6788f4cb4975f08c5deef07e932f4a370a38c5197d7a4fb7846ea63ae
AgentTesla
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
AgentTesla
58df4d2cea8c94b519a4ef3b44a26236a318202a7f651fc8bf2fb65cf75942e8
AgentTesla
6a0a4894127b64d80992079cbcce8ab2b6998e65ac8dca03259697db83dc9332
AgentTesla
8a1c7d516ce87b96194a19289d40a13f1cde869e3cfa844c3ec5a0b3a8899d38
AgentTesla
abe03fc94f99d47117f6c75cf606d21b2cd361e5694076c87f6057e4c1eac212
AgentTesla
b9929d5795c560d38f4e9a62b9f67c125f05af52411b0f780ccdaf30c5940a76
AgentTesla
ceffcce2144e6f7b1724f53f9812b05c6066efb4cf70ba1ff178a0f50d021d30
AgentTesla
d58f997b8ee320ecd735457793e3f266ad3108dcc3306274431fe34c22f903fb
AgentTesla
+ 11'081 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-mbbb16ahya/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dc5fee6bdb6b8ee6e0a8992c7d4386c965b4a4ebae89b87d349602f0d3fba207

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 33748cbe32b703c8fb38fc89a8d3e7312ec9b326c6ac137f3c9cc2b895a76dbf

AgentTesla

Executable exe dc5fee6bdb6b8ee6e0a8992c7d4386c965b4a4ebae89b87d349602f0d3fba207

(this sample)

  
Dropped by
MD5 1f3b2bd253a5857db86653ba44745cfb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47755/
  
Dropped by
SHA256 33748cbe32b703c8fb38fc89a8d3e7312ec9b326c6ac137f3c9cc2b895a76dbf

Comments