MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02338412aac57c2f4a08135cd7b9a7719519d91627ad8dc62c19c2e147a07de7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02338412aac57c2f4a08135cd7b9a7719519d91627ad8dc62c19c2e147a07de7
SHA3-384 hash: 0508d8abcedb581f1c21f9d4de3e5f58b59539540d70447706086ef05fd0a253715ecd7815d0fc9c5968cd643ddf7320
SHA1 hash: 47b484e9d40e5d4ac29b90f05c2e7882dd25dfae
MD5 hash: c979303258e9eb09b16a6ac8b3e4cd97
humanhash: nine-quebec-mango-johnny
File name:RFQ_NS10900400101001.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:730'624 bytes
First seen:2020-03-22 17:29:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81e653366e2ca301e997f15839ad10b2 (1 x AgentTesla)
ssdeep 12288:pdVf9GKzidU5sFrWrzhgxUGGFzUGzU0o8fnOC+VPhajajLJ5Z:xgXUaFrWxgOGEzpo8vh+u2HJ5Z
Threatray 10'937 similar samples on MalwareBazaar
TLSH D0F4B022F2E14833D163267DDD1B53AC682ABF513A7869462BE41C4C6F39781342BED7
Reporter JoulK
Tags:AgentTesla exe


Avatar
Jouliok
Exfil: support@generce[.]com

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Wacatac-7617026-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-03-10 12:53:00 UTC
File Type:
PE (Exe)
Extracted files:
59
AV detection:
27 of 30 (90.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aizyievkyv6c6sqicnonponhogkrtwiwe6wy3rrmdhbocr5apxtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2836e2f050c5ed948fb0652dde8eca6e867cb25aaa835d8b58738ec251dded5b
AgentTesla
342cb45a17253c6e1a88c20c3705beabc62c44844285d499f4be6eabf9720034
AgentTesla
3e15618bfc4d25f09945e0d56c58c85403faae1db64b55db6caacbb11e476fa9
AgentTesla
4f368d7ff5905aeff8ff706ec195e3d3307c4ab1452608060b300f56c5e4678a
AgentTesla
6e077f8a754b865c8322b86fd21be4c9f6e013e0deed9003671c624033795cf0
AgentTesla
7cebebf611d98fbf9a5775158f605007726df01d2d4622431d6137665203c22d
AgentTesla
d63ec5231d1d805fcf8272f20282fa1bd9b94cc01c309a5eaaf32c1e09f9df6c
AgentTesla
d7b59d350dd16d5c6a39706ba5dade34574798379ac54f0fa0cbea42158435ac
AgentTesla
e200737a203c4aa2f0dd82a3fc5fef097eb0e64b81b231b29b3022741ade5976
AgentTesla
ea39c891ee5af5b1c5d76cb6cfb76cd18e160160fd1a5fe34deec0d240ec7a87
AgentTesla
+ 10'927 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 02338412aac57c2f4a08135cd7b9a7719519d91627ad8dc62c19c2e147a07de7

(this sample)

anyrun
any.run
https://app.any.run/tasks/49be70c4-aa67-4863-b94e-61150f2f0b09
  
Dropping
AgentTesla
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments