MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 157e2d59ee91293baecbd5c998e21a5fd380bccf67bdc9168da44f5d20aada95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	157e2d59ee91293baecbd5c998e21a5fd380bccf67bdc9168da44f5d20aada95
SHA3-384 hash:	bd68e38eeba6f963813d92634103adc76b098612e5eb98509180b4bbc39dea14bfedc73a24ba5c7dd3203fe48bdcda0e
SHA1 hash:	cf7a044ae6cb93e7a96a3f6b88cf2ff76fd85fef
MD5 hash:	c944b0151a63ebc0ff3e24bbfca73a84
humanhash:	king-fish-charlie-zebra
File name:	TT RECEIPT COPY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	795'648 bytes
First seen:	2020-04-28 05:57:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7d1ea32de3c3634aa168449bee8d056d (9 x Loki, 1 x AgentTesla, 1 x NanoCore)
ssdeep	12288:5k4UJmd7y/wGUXs4weW9kPi2A22g4NgNEZwGXqAmcdLPozZM:qzk4wGaKeKWOg0B5
Threatray	11'080 similar samples on MalwareBazaar
TLSH	C005AE37E2E08537E1771A3C8D5FA3D8B8297E422E389D4A7BE41D4C1E39641742A2D7
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.AgentTesla-7708826-1

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.Siggen9.42946.10005.23318.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Loki

Status:

Malicious

First seen:

2020-04-27 23:54:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 30 (93.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cv7c2wposeutxlwl2xezryq2l7jybpgpm664sfunurhv2ifk3kkq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb

AgentTesla

7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953

AgentTesla

7a7ea4a20add0c6022d4e72fe7d7e5558230447a95e0fbaca75780c8f248a9c4

AgentTesla

9622729f9517d5a5eecd4a278ea564d750b17e300337a0f0e023c986bf0e537d

AgentTesla

9feec7852ef1647fa53b548d5d55ae251bd5df7f112f22a63238612b6ffad1ea

AgentTesla

9ff973461fe556e748939d04aab5d5c8452cdb6350d52dbabefb347fc461ef5b

AgentTesla

a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7

AgentTesla

faa14b162487c010a973901cb7a91e48c512b0193fd449be475f94c32b0ff212

AgentTesla

fd9d2ae85f8ee25995f7b8580bffd4f4fbff641edf5852e456cbd9df3c2abd19

AgentTesla

+ 11'070 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 221b159a90aef53261b039b8b4b5e9256408265bc1227c32d0720a08cf237222

AgentTesla

exe 157e2d59ee91293baecbd5c998e21a5fd380bccf67bdc9168da44f5d20aada95

(this sample)

Delivery method

Other

Dropped by

SHA256 221b159a90aef53261b039b8b4b5e9256408265bc1227c32d0720a08cf237222

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample