MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 077579ea48e41105384f890a8798b8537b9b15aa03930b80aad5a1f8a920c560. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 077579ea48e41105384f890a8798b8537b9b15aa03930b80aad5a1f8a920c560
SHA3-384 hash: e7d279e52fee12321c3ddab5aae36b26f2c6883c4aa496d5fa7eaddc6a6bbc321cdc11415d79d65df581d0b450c52705
SHA1 hash: c8b844912b1da65427e20b160bbd31a96576ee97
MD5 hash: 4394da7e99f78c54c66f3b78dd05dac5
humanhash: happy-ack-fillet-artist
File name:Urgent Purchase Order For Hengsen #000224788946 ,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:603'136 bytes
First seen:2020-04-22 11:17:33 UTC
Last seen:2020-04-22 12:01:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:JWUPlAhS+4TpyJ8PJ8d1xWDXwG5f1Y8vFKZt/Lp2xa5FWI6N8O9klBvuAsvRi8ZW:Aqa14VyJ82YKLOa5uqlBvuAsZPZfl2
Threatray 10'603 similar samples on MalwareBazaar
TLSH 1FD45B2223A087A1FBB074F69D6D3E10D13ACDFF8D82FD8E571539670666160E63346A
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43031146.13051.32247.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-22 11:35:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a52xt2si4qiqkocprefipgfykn5zwfnkaojqxafk2wq7rkjayvqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
062cf3944b0b563efc115688ff8910721db670950acf80c0020351b7d97b48c5
AgentTesla
39ea1e26d4a96ba3f462985e766b70d1999bc0ddb802a38f92b2cb1a257f475d
AgentTesla
3ec241071c7e4652915d56d349936696967e54a34d4943a51bdb20a91893331b
AgentTesla
3f0231acca635a2abb7c57cf8841961f52dcb9670716d92a5417088cc9664763
AgentTesla
a2e17761869255e493552394591dab6b9fac60b3577ec692ec47a7967238a462
AgentTesla
aac57da228f52fbacb94f4382e5ac8eb9d702af8fa0b70237a26c4915bd53813
AgentTesla
b72a41cdaa8d248aa607caa1c8e4b467d8c2dccbfc0bff04edf918e932854463
AgentTesla
d666e5a91a57a39aa50642853734884f6110624d37f144aab68ead30bf74c802
AgentTesla
e69574e6ac1d6ad15114af2aeda93d67df174c915274d3a2520ee540e9f6cc90
AgentTesla
fa691cf8aa039755a4d992e24fdbe89c5ddcddb18821bc920bc20c0450f9f8d3
AgentTesla
+ 10'593 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 74faa839f3948c662db7222606f4317ede0fea99481db0fb80f6f6735569770e

AgentTesla

Executable exe 077579ea48e41105384f890a8798b8537b9b15aa03930b80aad5a1f8a920c560

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 74faa839f3948c662db7222606f4317ede0fea99481db0fb80f6f6735569770e

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments