MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48712d577e05014edb911b241b47d008fff6907920e41146f7c9a66a1f8ff52a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	48712d577e05014edb911b241b47d008fff6907920e41146f7c9a66a1f8ff52a
SHA3-384 hash:	2f81c982a58adf71e171a2435ebfab2f01bdac6922559e551d40083db779475549cda737bbc7cf1701f90f6bd30d1491
SHA1 hash:	beb9d07658eac9f4eb00b419a1e3102bf5521d28
MD5 hash:	fa07eec0936d4b578d9743d8c47dc0f7
humanhash:	lemon-washington-kitten-rugby
File name:	Bank TT Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	820'224 bytes
First seen:	2020-04-29 15:04:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	556c6a7e5f749bf800bb7913c54276f4 (10 x AgentTesla, 8 x Loki, 4 x RemcosRAT)
ssdeep	12288:/JtGIf+pco+KipZHb9GNTU6Bd1K/+71UWS3juxpQZh/fMRnbtRMdlU5:/LdfZhpFb6TU2uE19S3jmnbHAU5
Threatray	11'239 similar samples on MalwareBazaar
TLSH	9005B026F1D04837C263EA3C9D5B57A4A83A7E103E29A84F6BF81D4C5F3869175392D3
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-29 09:30:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jbys2v36auau5w4rdmsbwr6qbd77nedzedsbcrxxzgtguh4p6uva._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

312ca2779ca2502a35fa0de2215e9ada5965a55896842f0c7d6742b8989d50f3

AgentTesla

4e572772b1f4f02a1cf0194b2d560638e1898f467827beb525dce28278baacc9

AgentTesla

71079b6770db403249ebaef088f4e3929d357ac797a470f64fd240e50a995a4c

AgentTesla

76e663fac059a1659275bf54e20ee9ee4667fdbd0c7a7a7c40b4fa472ce4e186

AgentTesla

87626640140d28f12ad7797fb1a99db9e448cea959f452664873f81231cb9087

AgentTesla

9160a75fe7bd27c3cb8141039d4c7383162b199454dfa285dd7d11f9fcfe52b1

AgentTesla

a574b201fa1b1b05d857cff48993efd19a3f700c55d6a7ea8ea9a1da30becb62

AgentTesla

a63dfd81e0eb6283bc0051a3c1f80ba0eb818d132aafe5e6a1cc3cd63a3433ff

AgentTesla

cc764009f2970de6acb84a66e9a21b4d854d92aeee5364ffe513bdcb542bdd7e

AgentTesla

+ 11'229 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA shell32.dll::ShellExecuteA shell32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample