MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0068cd1c85fc05f425fc6213b8317b2827528285d1a73b7df6135123161448ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0068cd1c85fc05f425fc6213b8317b2827528285d1a73b7df6135123161448ee
SHA3-384 hash: 0259f63c70134a404d5d0c411d3de424838df43ab0e716214d652c7c2bcd02fc1d452d5157e909843fb06a4eddea894e
SHA1 hash: 9e8a2901b8cf9139226837bb65bb48d641b0e7e0
MD5 hash: be57fa6b75ed884090b1d6717af12b71
humanhash: delaware-king-fanta-diet
File name:Shipping Documents PL&BL draft(1).img.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'888 bytes
First seen:2020-04-02 04:28:19 UTC
Last seen:2020-04-02 06:08:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ltN9zzSvaxxqBw1Oaje3yna4V9APiseEkGFThZaNQWE+m:l1zSvaWABKynsibEjMKWER
Threatray 10'613 similar samples on MalwareBazaar
TLSH 24E4CF223681C9A8CAC062B24DF7E9C17763F5C73751861E228A7329BA471D73F4D348
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.AgenslaNET.1.8889.14719.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 08:16:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=abum2hef7qc7ijp4mij3qml3fatvfauf2gttw7pwcnisgfqujdxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
652408958600d63469d0ca6534e7c223f9d3794267fe49fe5e924e28b3dbd0d9
AgentTesla
7666a9640caa1cd3032c124ae3b763f280cae9da5028586721e3aed9f476bf2d
AgentTesla
8cf4d562d03815786cbd7e0fb3c18e5f7e257a216cb833b7e949a2c189ea79b4
AgentTesla
8daf58146648177ecc0b8da2ee4068ef7886065792c7f6fa9eb03fc77c041e83
AgentTesla
c5a4176174c6cd1b56e9e5dc37d4338bbede8af3db82c53a94e41b359bc8c98c
AgentTesla
cdf96811c3ce5645b19c096fa4fffca84bcb7dc4885008f83373fe580ea57f01
AgentTesla
e2d6119bb484c9e5f5a7107b4687553416208badbb881df4328bec5146d08509
AgentTesla
e4a95445ff5dddd4211458a130f22eef7295501a4d3bab11b9f13a4f1c689eb1
AgentTesla
f20b3dc32d42f2f1a64414b5932cc0cb7baf99356445a770a80bf7bed7e144a8
AgentTesla
f6e9e7b2c851a45cf6cadddf0d3481033fc84e0d6f1bbf817f70cb2b837aeecc
AgentTesla
+ 10'603 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e3a7f05f0794da67d558b6faeacee301a223197b6d68989930cbdbcda09fb7ac

AgentTesla

Executable exe 0068cd1c85fc05f425fc6213b8317b2827528285d1a73b7df6135123161448ee

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e3a7f05f0794da67d558b6faeacee301a223197b6d68989930cbdbcda09fb7ac

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments