MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e9b18a9ae56099292d10bd537b24db851b03b38a54028f5460b1433f4aa627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e9b18a9ae56099292d10bd537b24db851b03b38a54028f5460b1433f4aa627
SHA3-384 hash: cca8c092067114a939c6dac0e3b0b3332973bca2389565c83abd3a057e9362ae994a9c326177e69576d6212b7f256fdd
SHA1 hash: 999c39406bca7bb2ccf46ceec93ad084daed5d19
MD5 hash: a8dcdfcf26dda3d6f2c503f3479313fa
humanhash: berlin-low-louisiana-delta
File name:Shipping invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:722'432 bytes
First seen:2020-04-22 08:02:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 482a26ed176d4546edc420ee3d6a7b80 (1 x AgentTesla)
ssdeep 12288:exnVrgjySed3y8Lpvvt4e9ZoR2aaXBMCwFWyIm4Kt+R4fILtgjiSoS1eV:YNWQdVvv3IpCMNUyImL+mILMOSa
Threatray 11'580 similar samples on MalwareBazaar
TLSH D1E4B022E7E05833C3631A79DD1B57A8983ABD103D2D5D461BE41F4CAF39782396B293
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.AgentTesla-7687363-1
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-22 03:45:33 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idu3dcu24vqjskjncc6vg6ze3ocrwa5trjkafd2umcyugp2kuytq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0107fadc185fd6b53dc033d4a79e53ef1621ae623917de029b6c02eeae2021c1
AgentTesla
18db348d2bc13a33da2eb37da197acc9072aab8a006ee052e5bfbc57ffc99cee
AgentTesla
47dc93d9f50e610072c38ed05d454b31b9a4d9c31f2abc75840dea36ec4ef374
AgentTesla
6407a885f99633b2f5559e9f04b001a859367468dd7e761fb28d527995f3112d
AgentTesla
7dd1ac7e7f7f3a85ebdcf6337b4f83dee2e6421ee4373e6328c08d8a0854ae9a
AgentTesla
a5efbcb25b4339ea9e004364c443afaadb86353cce9dcd9508115bda5a57be88
AgentTesla
b4ddc58acc408b2ba14056f04e2a989f229e537dc7132a48250b3565ef82ca09
AgentTesla
ea2b4579502edcbf620e89086f0d701f1533ca67f5dcaec50a57fb4e8b8e46f5
AgentTesla
f3141eb0d06d4ddce695865bbd38b6d1c9fa564d3ab4a9f1a5d1c0bb9c9931cc
AgentTesla
f4ee68967541641ce9b2ba8ba7f2741d9756cde1a4f32ba9495cf35ba06b7f01
AgentTesla
+ 11'570 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 40e9b18a9ae56099292d10bd537b24db851b03b38a54028f5460b1433f4aa627

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments