MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1adbb491704dbef231e8c467ba7e74894c3ee818461ab28292ec32e3f9b74b5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1adbb491704dbef231e8c467ba7e74894c3ee818461ab28292ec32e3f9b74b5d
SHA3-384 hash: a231415143395a95db8294bc50e5d6b31e40128d2b6ad8336d32439caddcb576aa8c6efaab3eb806943ad2ad6d35c522
SHA1 hash: 07d2e4194d1ac673a33cb049060e827306846f8e
MD5 hash: ac07ee7e58b5796ec145ee149c75da78
humanhash: muppet-fifteen-video-winter
File name:369d0e7aa388c6ec21d03cb06890bf9b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:298'496 bytes
First seen:2020-03-27 18:07:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:SsO0W3RM6FQR7ZPuNaKgjRZdXZ1mPuk/Tmc75b4oyT7:sY6ORMFgV10uoyT7
Threatray 10'677 similar samples on MalwareBazaar
TLSH D0542A7D7B48B902F63E593289D1566013F1D4874E22CB0F6EC85BED7E63BC9284A385
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1XMw-absTzZ1TUJiyTB2-8TOEMmR6u6lG

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-03-27 18:35:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dln3jelqjw7pempiyrt3u7turfgd52ayiynlfaus5qzoh6nxjnoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02ad360e618d817b9a5da264704a5dfbf337856ea20bdfd471446e0a8fa27036
AgentTesla
123bd24a2bd246b8fe7eec432072912a53acf73b0db15ebb98b0962d4b54e610
AgentTesla
2abb263f721b539317768af1459c89c8e72bc352a8219b9d618569616caac045
AgentTesla
3e49a3d5e53c479d5da50528b7d62df675d22baa97198cc1ba50ea0f40bdd2e7
AgentTesla
829008943eff3aa587242f2dda6989e2f2b1e7cf7abcb10099071aa2444a9cb8
AgentTesla
a6290ccc075d6f4d66eb6bdb5a1e36ef943eddeeead1460e9089564580f36271
AgentTesla
b5cc6999416a62827fc86dc9b6a3f5b0ee3546986af845722ec0d019c8c30f6b
AgentTesla
bf5ea94f9caf0f0db89ebbab1b2d022be6381423eee08d35afd2e14b465ea840
AgentTesla
c7839a3137610ece15b06c73cb4e9ad2b7d175630c13717649974d1965d1235c
AgentTesla
d6b47a7728293728613b03f3e615897081f6f2b09efafa9b798bb3b9dcd0f283
AgentTesla
+ 10'667 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9d1d4bcec41680d3c8e1901588b72767e60d3d67f5692be3d9d8ed40b21823bb

AgentTesla

Executable exe 1adbb491704dbef231e8c467ba7e74894c3ee818461ab28292ec32e3f9b74b5d

(this sample)

  
Dropped by
MD5 369d0e7aa388c6ec21d03cb06890bf9b
  
Dropped by
MD5 1a086927914fe51b6117576334d2a586
  
Dropped by
GuLoader
  
Dropped by
SHA256 9d1d4bcec41680d3c8e1901588b72767e60d3d67f5692be3d9d8ed40b21823bb
  
Dropped by
SHA256 c5d8b8f301f0cba0e1da224595c1b16296b480f07b51687c8268e1da7cf156c4
  
URLhaus
https://urlhaus.abuse.ch/url/331104/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments