MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16bbd94e573b34e7b246d3f4e2c02d56d12bed0ed514377c9c855e2031c5092d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	16bbd94e573b34e7b246d3f4e2c02d56d12bed0ed514377c9c855e2031c5092d
SHA3-384 hash:	d7c777251573f0fed5568c74b3528b7498f3e1966cd7f6ec2bfe7ab0dcb742fa92ca5e6cc51adb3cdc0122c0066f5234
SHA1 hash:	813025a7b526b3f765abe22638a3707c0895c0f4
MD5 hash:	31df882ff062321117a02cc710ef05de
humanhash:	maryland-mike-moon-quiet
File name:	ORDER CONFIRMATION.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	697'856 bytes
First seen:	2020-04-20 11:34:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4313c2d5dda101e9dd453e11d7f55ec6 (4 x AgentTesla)
ssdeep	12288:NiZLRaV3S1bXeZwUy89MobmW7IWmam0YVjAvUv:c1R0h1y82yIXbMu
Threatray	10'978 similar samples on MalwareBazaar
TLSH	C7E4BF32F6E15833C123163D9D4F766CA926BE512D182A472FE51D4CAF29382392F19F
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Zusy-7679709-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-04-20 11:35:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c255stsxhm2opmsg2p2ofqbnk3isx3io2ukdo7e4qvpcamofbewq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

552a6dfb3ccf93b4ce557243d0aa56129c5d9bc031cf5f81cd20f1a701422a2b

AgentTesla

6c23d5aac98c05cf9faca072f1875f7fcde253a4a782dda7d897681bda6f92d9

AgentTesla

7637dfc39e0b31a46b0a129581e6aaab7cfbc6f52bbe705ee62816fa7743b35f

AgentTesla

775f508ce9aa128d16970e85f0b02f8f200c50dde94a1e345621069dd7042330

AgentTesla

91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba

AgentTesla

9ae86a8d428c98444aac846e32e8476a9590f9c4219d3b132b2ee04e3477fcc2

AgentTesla

9ee99b4dcb7d53e8638d0030e5328ad081a272b0e785f258d5377d9503dcf10d

AgentTesla

a92518585c0fb5eccc1a87ce6e1147ec96b02fd6a773a66377af484e3ce4b669

AgentTesla

a9bde7b444ccaa66a7caa034bfc040bbbeb1ac8707f7077e612fb996dc754e1f

AgentTesla

+ 10'968 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample