MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c913eb5c708579a85685ccee10a9ce487c51f9da743f2100c46e3e0e88d2569. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c913eb5c708579a85685ccee10a9ce487c51f9da743f2100c46e3e0e88d2569
SHA3-384 hash: 88258bfabd381510c83349e8e0bf0011f386645219b9cda1f175221abf5649ceed49ff4bc633c0a70de1f4060d906aef
SHA1 hash: 5576051ca21132931313084b666deee6cbf9420f
MD5 hash: 9e88228d3c9f2a1f68d4ee212ee618f5
humanhash: ceiling-vermont-single-hydrogen
File name:SAUDI ARAMCO - SAUDI ARABIAN REFINERY RENOVATION - Phase 2 Project.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:414'208 bytes
First seen:2020-03-26 19:32:13 UTC
Last seen:2020-03-26 21:47:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Aic1nU15GaTfMVUT/GwJFlLS8+KKArH/H2cBZhkMf23MvlxZT34rLMZY+7Y1:ATpqMe7GwbXKAzBAMf28vl3MrRT
Threatray 10'192 similar samples on MalwareBazaar
TLSH BF94120962B8953FC6DE0F78F452235013F79693F4A3F7994EC4B0F60A9B36449426DA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla malspam rar->exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis9E88228D3C9F.22823.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-03-26 05:33:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 30 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsit5nohbblzvblilthoccu44sd4kh45u5b7eeami3r6b2enevuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0068cd1c85fc05f425fc6213b8317b2827528285d1a73b7df6135123161448ee
AgentTesla
059902f52c04ca2ebba4a9d7c50acd5da1306b1e228ffa57ae5aba61f25a6c59
AgentTesla
296214059663fa3e1243f126c2cf5f689ae0cb91324a3624a97048466b92f875
AgentTesla
2f2a4a900557ab71b03b6c026acaeb9f0e2d23f681c5d0ea58a9b0c493721312
AgentTesla
430e12161cd33ef55da30dd43639bd7924009a568d7ad67513d0051f63ae26c8
AgentTesla
7cebebf611d98fbf9a5775158f605007726df01d2d4622431d6137665203c22d
AgentTesla
89b64c5d839929f94be889829f60548fab8b98ee8f8527fcd0100b24d2c5e348
AgentTesla
8cf4d562d03815786cbd7e0fb3c18e5f7e257a216cb833b7e949a2c189ea79b4
AgentTesla
e66bddaf54c22bca6bb8caa0a8123afeb29dadb323f1905b42a5ea571097b6e7
AgentTesla
f70a7863f6cd67cc6387e5de395141ea54b3a5b074a1a02f915ff60e344e7e10
AgentTesla
+ 10'182 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9b09b691baf24e8d503b74df0e64b4022e0029da34c81dc5271fa182cb7060d5

AgentTesla

Executable exe 3c913eb5c708579a85685ccee10a9ce487c51f9da743f2100c46e3e0e88d2569

(this sample)

  
X
https://twitter.com/SaudiDFIR/status/1243253606498947075
anyrun
any.run
https://app.any.run/tasks/6c8220bf-843f-4a08-96ac-ce9d5e126849/
  
Dropped by
MD5 4b6eb86f18b2a88687649114e0604352
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9b09b691baf24e8d503b74df0e64b4022e0029da34c81dc5271fa182cb7060d5

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments