MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f4e1461ee1be46e15ec0d052f618db1929625b81fbb3b6a7939ec1b8d5d7b63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	1f4e1461ee1be46e15ec0d052f618db1929625b81fbb3b6a7939ec1b8d5d7b63
SHA3-384 hash:	fa3a86eda45654f2bb6cd2c2bb3a8d1c2cd4926cd02368da2000a6faee7125359af11c75f5775500c6bfff9b045b1074
SHA1 hash:	b0ea7645f4f53d0dae0107d810f9ee526ad5c337
MD5 hash:	918a15ebde779195f3bd906cdf85a811
humanhash:	hawaii-march-juliet-magazine
File name:	URGENT PLEASE SIGN.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	781'312 bytes
First seen:	2020-04-22 10:35:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a7edd9901ff2b41392cecfe31f7cc87 (2 x AgentTesla, 1 x Loki, 1 x NetWire)
ssdeep	12288:f9Vhj5lzFXTJekDxG7jnzx9cZ8TxshFprrP6qwanZBd1SW:FzjfFgMG7z0qqLprrP6UHZ
Threatray	11'778 similar samples on MalwareBazaar
TLSH	DBF4C022FFE09837C17716395C1B57A49839BD113E28AB4A3BE40C4C9F7978139662B7
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.GenKryptik.EIXP.13386.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-22 10:39:38 UTC

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=d5hbiypodpsg4fpmbucs6ymnwgjjmjnyd65tw2tzhhwbxdk5pnrq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

2516fe6075e9d7ee9446bc47745288fab68c86b5e2aeec94f34ee532f5ea6d89

AgentTesla

2b80556f6cd49c291e54b1f0d7d3f15664958412ea6d2c36273e356de9081966

AgentTesla

32f1988136652091a902ab7c0238d9cb5ee033fe10a83e22f760150a2fa38676

AgentTesla

40a28bcd44a3348b0c698efa5cfd48bab8553e31202816ebecf62d23880e78cc

AgentTesla

765d4e32e33979b9ee122877162ddb3741a2cc7df514b96b637e28651399be70

AgentTesla

91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba

AgentTesla

9ae86a8d428c98444aac846e32e8476a9590f9c4219d3b132b2ee04e3477fcc2

AgentTesla

ebe7e1de6e345ed9445e0d8a11241d13cb92a7df15fc5f05a6c5d6bbf9d3244b

AgentTesla

eca4673c4308cb6dfd3757fcda824d93b7076fa2b2e7b2912863cdc4cb3f422e

AgentTesla

+ 11'768 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample