MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36af666d53cba0e9c1b3a2e4e6d9513581090d3fdea442cb13dab3aa2bdf6d72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36af666d53cba0e9c1b3a2e4e6d9513581090d3fdea442cb13dab3aa2bdf6d72
SHA3-384 hash: cca7e4e997838e258eb66f8a0e96dfa8c55f497d015564077b38e808f83f94ec70d149d5dca37c57a70f861a7bcf9e40
SHA1 hash: 596ccaa79687a347979c5bd4e990127fae123302
MD5 hash: c12e009e1eb1ba603ec40e4f511c2312
humanhash: fifteen-kansas-floor-eight
File name:b2aa8dac24107bb5a221873d17141116.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:300'032 bytes
First seen:2020-04-01 01:20:11 UTC
Last seen:2020-04-06 12:05:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:8i2FrL96RDf5TPy3wfIq9269gTD6lZi1TEd6KZm9GaqFbxoeTV:8i2aRDuon9gqlZMooeTV
Threatray 10'483 similar samples on MalwareBazaar
TLSH BF542A6D2B88F902F73D593249D5666126F2D4834E22CB0F7EC41EED7E527C92D0A386
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1RSFJFlGUu8WdAauqk10KXpDG4jvwp-CQ

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 01:35:25 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2xwm3ktzoqotqntulsonwkrgwaqsdj732sefsyt3kz2uk67nvza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f2ed94f7ce73623cc14daf630cd853c2618b09543688d15bf63e735564b1da8
AgentTesla
143b4a41585c0993a01c538de2f439c5a6fbeaae30b9709e067c838b39a4f468
AgentTesla
2b17be66ea870217fd5ad3e78aac4f7997af78af9e93a7474d488b7478439e83
AgentTesla
4976bb0acc6b6e5901a2b61f85c82e905b4d13c811ec83eb74cc7c300d14b382
AgentTesla
623631ebcd52fe082d1f0507fef53e6a3bcec44cf4225550ad077592db0c0832
AgentTesla
79a6cd0ad542c43bd3b6c3baebe42c7682ad82294ad70a89624c13a9082f1f2b
AgentTesla
98489349a1120f5719ca1ec3d9e10c4f35edfc75944d15f050017c8c3fe2520e
AgentTesla
c4fc5587f9e3741efbd7aca1ef0a1b2471da6c62a02901b9929ac7239e6fd04c
AgentTesla
e9bb806aeef6d85e75074a7dc16d1773899a8fd9de9996c7307afdb4d7b60f30
AgentTesla
f70a7863f6cd67cc6387e5de395141ea54b3a5b074a1a02f915ff60e344e7e10
AgentTesla
+ 10'473 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

364c6bf1b2e89366f873c23150cf4bce6eb0e748d6261a672a2ae9ef112da384

AgentTesla

Executable exe 36af666d53cba0e9c1b3a2e4e6d9513581090d3fdea442cb13dab3aa2bdf6d72

(this sample)

  
Dropped by
MD5 b2aa8dac24107bb5a221873d17141116
  
Dropped by
MD5 3910b276cc71fbf9577a2d4bec899bd7
  
Dropped by
GuLoader
  
Dropped by
SHA256 364c6bf1b2e89366f873c23150cf4bce6eb0e748d6261a672a2ae9ef112da384
  
Dropped by
SHA256 4208faa692c5bf3cdbb9c14c4f8e3e42a14217d356d803353b341f37497290c5
  
URLhaus
https://urlhaus.abuse.ch/url/333192/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments