MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 204f690898978f91c9c1fe23dcbd519bed1c67c7621258f0aeae2b2f58fbe615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 204f690898978f91c9c1fe23dcbd519bed1c67c7621258f0aeae2b2f58fbe615
SHA3-384 hash: af889c2861db739f94bcf16ddadbb74bf7990a4a232f661b9995ee2bb514c6d37e819bf0b0e8d6a0e302a6390158ded2
SHA1 hash: 13bc3e0d3eee21f8353721cec68782a7b8441694
MD5 hash: 21b1c01920dc95530e645d15c39cc5a2
humanhash: carbon-low-michigan-glucose
File name:dj.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:716'288 bytes
First seen:2020-04-30 09:49:49 UTC
Last seen:2020-04-30 16:38:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/kJ9kXIISTrhq8OgbCSWAfxPhrhxCBnvmzSPcLnwISjBtX2IqQItFl1ADUm5ArDL:P18VbCDMNiBnn65z
Threatray 10'594 similar samples on MalwareBazaar
TLSH 0FE48D9C369071DFD567DA729EA42D64EA25B8B7630FC2076013229D8E2DA97DF001F3
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
4
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.48178.28385.8350.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 08:01:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebhwsceys6hzdsob7yr5zpkrtpwryz6hmijfr4fovyvs6wh34ykq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3168af462696c8edf2bb2ab1537782ca60135573d977c6d3264ca2069871d9b5
AgentTesla
37f3611503d3e8828f5acc568dc065e4fadc60558d1812d3473140d21146c0b4
AgentTesla
3e4c4376c736f74bf5ad2b4854f8e28816e1519c86881e3dc7086506cc7950c2
AgentTesla
4a2c1f3c1df5c34f1c99c8f7cc8b18fae2c71189e6e383face3ff7fa31224f52
AgentTesla
8941d1279e3899cd7342a1f7f1b6da470544a2685e1cdd320be9fc194bea36a9
AgentTesla
b25f3db74d63d42e8cf1c5224ec5b1097036e4ee3339c961d0bf681506dad883
AgentTesla
bc1009772fd685f88c177412db4a333a78723286e656e1f6c0601569dbc3e6a1
AgentTesla
dff01b9f8946ed3792fe4e32ae3f95834c892f16ca219dc99d78fd15064f82a2
AgentTesla
f35fa2a6281a2a24016729d315083a638edf176a890a605dba2ac134e1733bb3
AgentTesla
f8bf34d96ec1821d738a6607f98c114d74e93a55d4d4b21e5fc22354177190b2
AgentTesla
+ 10'584 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 204f690898978f91c9c1fe23dcbd519bed1c67c7621258f0aeae2b2f58fbe615

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/354908/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments