MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aa90f6583dde40c643519b2baa2f5d3b3a0e5c4ab54b7e7f64cf662f8c0fabb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aa90f6583dde40c643519b2baa2f5d3b3a0e5c4ab54b7e7f64cf662f8c0fabb
SHA3-384 hash: 539c7f0ed0a3da960163946d902fc170189e10631e10b7368371907d3a848d8642f14de61520bed366651a29af138c65
SHA1 hash: 7778df8bb6ea2f12d966017911dbf8a382478229
MD5 hash: fb372cb7ea0cf0d12cd7e0c0135e93bb
humanhash: freddie-shade-nitrogen-grey
File name:MT TORM HARDRADA V.203-PDA REQUIRED_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:740'864 bytes
First seen:2020-03-23 15:03:25 UTC
Last seen:2020-03-23 17:06:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rC8yWRZi5gQrbnHhTZ6dhzfbUetvOWY1uDy:Ti55jH1AdhzDUexJYc
Threatray 10'336 similar samples on MalwareBazaar
TLSH E5F47C28C6B48D11D5728BF98565A351CE70EF134F2ED6393FA368D9282E7D0B6C2523
Reporter c_APT_ure
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.44329.5165.19081.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-03-04 04:07:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkuq6zmd3xsayzbvdgzlvixv2oz2bzoevnklpz7wjt3gf6ga7k5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1461847eee6ba8dcadbebb76d93add24569d3d16e7ecaa2078c7eb503d43ed39
AgentTesla
205c64751a28eba3128dc0d7a6f15934caef963bd2cfcd5898f0b7b22d72cf08
AgentTesla
21bd1e815e8a6893cff55b01202beff753c20b21594e5d9b92f91ad0dd92ba4f
AgentTesla
285dfcf7b80c7e082218135e3b93eecd1b623ef2a86c5d3bdf9c51978d1ee62f
AgentTesla
689e10eed6804131422d026781776edeaec42d42a35b65512d70acbc3631946b
AgentTesla
80e373ee8f746e0efaa489ac20fffa65ca659ba8c4edffef2d122c33051c1837
AgentTesla
b99b29a8131f9d846fe70bc0700d1b700e484399e5153d7819ef1305495296f6
AgentTesla
c3d2cae309fc29bc97da302dd28532093cf05fa5c2d8e05dfb1199dd69387cc6
AgentTesla
ce41ab91dfb37caeee2c7e4aaf66bc6d611b482b4ac210ae908b6d5090ad4989
AgentTesla
f8aebcc9afaa71ce6097fb2b9dc2f412c1c98b358fce687f98f3e379216c8fe7
AgentTesla
+ 10'326 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments