MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312ca2779ca2502a35fa0de2215e9ada5965a55896842f0c7d6742b8989d50f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	312ca2779ca2502a35fa0de2215e9ada5965a55896842f0c7d6742b8989d50f3
SHA3-384 hash:	ff06230ef3169f9b1890dbf8ba613cae7635651553de8d8786f3e2c7ef59b85cafe1f5dacbbd0d9f65d39669cd7862b9
SHA1 hash:	e618a377f96b32d32785c8eca618412e29f3508b
MD5 hash:	6dfc640a9b4b03578a98e7f2066adb5e
humanhash:	mirror-carbon-virginia-fish
File name:	Bank TT Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	864'256 bytes
First seen:	2020-04-28 13:10:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c0ad2c2ea9dc28bf0db406d9effa5ddd (3 x AgentTesla, 3 x FormBook, 3 x Loki)
ssdeep	24576:a4RXhAvAwGj/Xl0tz5XiJOZzFqrYP2PFL8EK31:9QvA9j9ilXiJOZxqd9L3W
Threatray	11'622 similar samples on MalwareBazaar
TLSH	BE05BF23F2A08877D1B3273C9D1B93A8993ABE113D349E4E3BE51D4C5E347913926297
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-28 00:47:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gewke544ujicunp2bxrccxu23jmwljkys2cc6dd5m5blrge5kdzq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

310109e3b708c413160510f908f5ff048d7a0ad3645aca86cd86eba3a55fb017

AgentTesla

48712d577e05014edb911b241b47d008fff6907920e41146f7c9a66a1f8ff52a

AgentTesla

48b595428b2e25e856d4fdd098da82bc1f00f6590318bd68120a61bf67f13cb1

AgentTesla

569b8cf6219a91161d48291f13285babe58b3be185623f3ec44c65c8369c2278

AgentTesla

77839da1c15d6390080afe07320af399a007d5b69bf4fcdf63fc71e795929cf7

AgentTesla

7a7ea4a20add0c6022d4e72fe7d7e5558230447a95e0fbaca75780c8f248a9c4

AgentTesla

cc764009f2970de6acb84a66e9a21b4d854d92aeee5364ffe513bdcb542bdd7e

AgentTesla

dde86e3cb1bb7ee1f8d4d7ab3b6c90a1f72c49d568aafb11e910496c7c479aca

AgentTesla

f94788e7bfdc505f85854bc525b126c665f6cb1f16e674bbec097e44b98f949b

AgentTesla

+ 11'612 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
MULTIMEDIA_API	Can Play Multimedia	winmm.dll::mciGetErrorStringA winmm.dll::mciSendCommandA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryInfoKeyA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample