MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c
SHA3-384 hash: d19be99c3bafb1fd8212e1254a4b97f961572edda1349fb57a9d1434aff08a16d27e30700167937de2d573c073d8ce39
SHA1 hash: 94d6329fba754bf40a921765cd0ff199e794ca6b
MD5 hash: 977fb7a3c84121bde18ffb0e62ac2482
humanhash: island-september-nine-alpha
File name:swift copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:659'456 bytes
First seen:2023-06-05 13:32:28 UTC
Last seen:2023-06-05 13:33:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Y2N8jiZ4zypIPsmtPplTY6RhKuUz+FmSq7NQ0VIx2s0hnbPHEI2/9N:Y2N8jiZ4zypIPsmJTDEUm9xQkIfonjHk
TLSH T162E41294767E6F47D8B753F40154A678133E6CAAB632E3474D93B0CA4DA0B081B42F6B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter cocaman
Tags:AgentTesla exe payment

Intelligence

File Origin
# of uploads :
3
# of downloads :
236
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
swift copy.exe
Verdict:
Malicious activity
Analysis date:
2023-06-05 13:33:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5027041d-aa94-4be5-831c-79c8b73f6fa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XorStringsNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/395794/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67202382.3734.28110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/647de40f670d83154ad8ac1a/reports/e87f389c-5707-4824-ae7f-0ca902cf3615/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff8f642f-4c0b-4073-a885-3671009cb03e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1248783
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881799 Sample: swift_copy.exe Startdate: 05/06/2023 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Found malware configuration 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 7 other signatures 2->80 7 swift_copy.exe 7 2->7         started        11 lVPsfst.exe 5 2->11         started        13 SIqmq.exe 2->13         started        15 SIqmq.exe 2->15         started        process3 file4 52 C:\Users\user\AppData\Roaming\lVPsfst.exe, PE32 7->52 dropped 54 C:\Users\user\...\lVPsfst.exe:Zone.Identifier, ASCII 7->54 dropped 56 C:\Users\user\AppData\Local\...\tmpBBEB.tmp, XML 7->56 dropped 58 C:\Users\user\AppData\...\swift_copy.exe.log, ASCII 7->58 dropped 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->90 92 May check the online IP address of the machine 7->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 7->94 96 Adds a directory exclusion to Windows Defender 7->96 17 swift_copy.exe 17 10 7->17         started        22 powershell.exe 21 7->22         started        24 schtasks.exe 1 7->24         started        98 Antivirus detection for dropped file 11->98 100 Multi AV Scanner detection for dropped file 11->100 102 Machine Learning detection for dropped file 11->102 26 lVPsfst.exe 11->26         started        28 schtasks.exe 1 11->28         started        30 SIqmq.exe 13->30         started        36 3 other processes 13->36 32 SIqmq.exe 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 dnsIp7 60 api4.ipify.org 64.185.227.155, 443, 49694 WEBNXUS United States 17->60 72 2 other IPs or domains 17->72 48 C:\Users\user\AppData\Roaming\...\SIqmq.exe, PE32 17->48 dropped 50 C:\Users\user\...\SIqmq.exe:Zone.Identifier, ASCII 17->50 dropped 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->82 84 Tries to steal Mail credentials (via file / registry access) 17->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->86 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        62 173.231.16.76, 443, 49697, 49701 WEBNXUS United States 26->62 64 api.ipify.org 26->64 42 conhost.exe 28->42         started        66 api.ipify.org 30->66 68 104.237.62.211, 443, 49704 WEBNXUS United States 32->68 70 api.ipify.org 32->70 88 Tries to harvest and steal browser information (history, passwords, etc) 32->88 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 08:18:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xqjfqhjc4uo4sesdc7twbdh4sxjlci3ijnk5balxemnm354e6ga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230605-qthnrsgh27/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5814058627:AAFjPgERfyp3AZJXAfISMezajcw2VR_A_9U/
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/e68c5f32-5971-4aae-b5d2-d660f3f17e7f/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
6726ceb69c7d0ae0caaf9bab276f6f3de3ad23fff7f36b6f8324b4422d4bf9b6
MD5 hash:
5bb5ab685edd351d16075f3dfd01097d
SHA1 hash:
87e222da3ceaaa3c292444ee4e3933f2920b3e90
Link:
https://www.unpac.me/results/e68c5f32-5971-4aae-b5d2-d660f3f17e7f/
SH256 hash:
b9580b71d77516b2c51fa4887ff049e1ee8261d3bb4a45cf0d7f8ff45492b491
MD5 hash:
d21eb64badbd0f004774eb771ded295a
SHA1 hash:
494af84caba0b679040d36e14fe1d12f448884f8
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e68c5f32-5971-4aae-b5d2-d660f3f17e7f/
Parent samples :
ecc62761886dac7775e9dcf2c323e300a5c694e1322496a1ad66808eb7dfd940
7c32af309a2521511d759a08cdc7cefc647e94cbdd590e7f7ef8ef24fa8b539a
12dd7993470fb8771929bc1fa70876866bb29f8a4f43d5c79dc8d643501bd3a0
9c12f011c55fb007079146d47ac150500585108217d74e4209f234006d91590a
997fb68f57771d4e6d2c607afae34ddc7b06daa6f34be448e5f7d67e78b183bf
1680422c807dbbb8686d36461be752fbb2ad0d75d48711de16f85eb72d977203
3c2846461941ebb9805092c18d217a5e78b74619e82f9bb21b2c11d59974cf03
b58289009391f4997135e60b89655880cc54e3e7ebc90e6056401be2b798a3ee
c7057a9a9f625dc07c2d893859df339831330e74a0cfb6b7677bf973f0af279f
734da354d0b8c982d436b43e4f8e105382af3d08def6114dfa685d1230bf64dc
1af9751a544e54a90c1b18ce2fb731d3f9b2e53e7143f9904622706109949abf
ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c
93b2e11e63c3e38bd7d2fc22514d2ae970e35ee23bd9fd829a75d25df3794dd8
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/e68c5f32-5971-4aae-b5d2-d660f3f17e7f/
SH256 hash:
2a7aa2c3ca77e65428795e52da54f6031cabb08d20d7669004e50fccc3baef14
MD5 hash:
b294ab8b2027aad1bde964d479356667
SHA1 hash:
13b8af4e8c07fb8ea8fbfb3285dc536928dbc0db
Link:
https://www.unpac.me/results/e68c5f32-5971-4aae-b5d2-d660f3f17e7f/
SH256 hash:
ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c
MD5 hash:
977fb7a3c84121bde18ffb0e62ac2482
SHA1 hash:
94d6329fba754bf40a921765cd0ff199e794ca6b
Link:
https://www.unpac.me/results/e68c5f32-5971-4aae-b5d2-d660f3f17e7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d94e86d506e0a9db49d03e5e50e5dae148ccbf61a589d211d44d64b9184ded24

AgentTesla

Executable exe ede092c0e91728ee489218bf3b0467e4ae95891b425aae840bb918d66fbc278c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 d94e86d506e0a9db49d03e5e50e5dae148ccbf61a589d211d44d64b9184ded24
  
Dropped by
SHA256 de65d17e2e20f623215e9615598a9c7d8f87539688101424b75fbb8e39c54cb9
  
Dropped by
SHA256 175e0cb469d36d77574bdd538d82bde32be34176a3834d11c6469581c63e21cf
Cape
Cape
https://www.capesandbox.com/analysis/395794/
  
Dropped by
MD5 d2fa8830d0e31510df665402df5ea346
  
Dropped by
MD5 e738e0520287b8533fcd2b450f47546e
  
Dropped by
MD5 5c3a881244c947d6d394dcca782ddc00

Comments