MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28a595f1fc9773d9ffbd199d95bb1c40bc7411c7cad62a3c86edeac2bf331c1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	28a595f1fc9773d9ffbd199d95bb1c40bc7411c7cad62a3c86edeac2bf331c1d
SHA3-384 hash:	63a63798f6d421110f89f4993d486c22c6e7cf57fecd67a525b9067a84a9f4e024994cc2725954573444ec0608fca8b1
SHA1 hash:	7f9e0f9a1259d280e6a19278e8948647d5ae8931
MD5 hash:	5fa106b11e1b34f6dc6277953091dbd0
humanhash:	cola-purple-berlin-solar
File name:	Proforma Invoice.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	705'024 bytes
First seen:	2020-04-21 04:49:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4313c2d5dda101e9dd453e11d7f55ec6 (4 x AgentTesla)
ssdeep	12288:BiZLRaV3S1bXeZwUy89MobmW7HIz4DtuLqLCCmSL4+Z:o1R0h1y82yoz4Dt+q+ALT
Threatray	11'378 similar samples on MalwareBazaar
TLSH	E8E4BF32F6E15837C12F263D9E4B976CA926BE512D181A471FF41D4CAF39282393B187
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Zusy-7679709-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-21 21:40:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fcszl4p4s5z5t755dgozloy4ic6hieohzllcupeg5xvmfpztdqoq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

16bbd94e573b34e7b246d3f4e2c02d56d12bed0ed514377c9c855e2031c5092d

AgentTesla

63e08221ae27afac73c31e6ac42c07501bbb6f0ddfbe571651a1c1045b270653

AgentTesla

69f1c868160889c695289bdbe169f29d34adae6785478f5954023464420324d2

AgentTesla

836fecdac95ba8327cf6e573e45c5f21096099e7f751ac7c6705ee8f43b2c94f

AgentTesla

931e17b17487438da7d558861ec2c1aa91aa94487b4cde8bb925c2c7faaa7585

AgentTesla

a1985692a5adc3de0a45492ff919e4de781b2086ab152a56383a391913140744

AgentTesla

a6a8453fdeb8267c6b076ac3bbf7c055399b7d11cfbc1247f745c09a62a94aae

AgentTesla

b9109a10e2bd041f96b560137b5a5f18c0f03fd399d5386793888b596871defe

AgentTesla

fa2ddd857a72e2eb5f1243e5c6af4d1cc3bc411b2c25e8ca79c9f8bbcb25f27f

AgentTesla

+ 11'368 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample