MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 567f22426e22e1fceb68ea504857023c61c7f33f1fa744f8e5b7723094443914. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 567f22426e22e1fceb68ea504857023c61c7f33f1fa744f8e5b7723094443914
SHA3-384 hash: 561d089f9893ed95e4389961717c2b6693dd24700328fe525bee79d383a5bbd45b5729c39106ca0b6547a9f9c5da5c2f
SHA1 hash: b5feca578dbc7aa37da3ba84fcbfbb9edc1ee664
MD5 hash: b669aba101943eaca5b9a6889b9d8cf4
humanhash: blue-blue-jupiter-victor
File name:4c892ce87ef7c2f99e9a05e54a7b159a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:297'984 bytes
First seen:2020-04-06 12:15:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:gZeJP0boRucvGX2ns4BVMfAe2V1uSG1M722f2AvbaoyTV:mYSKNnGAQDM72JoyTV
Threatray 10'600 similar samples on MalwareBazaar
TLSH DE541A7D2B88B902F73D593349D17660A2F194834D22CB0F6EC51EFD7E527CA284A3A5
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1f7nkkWaHOt2aS8fr0bwl5TBkoRMUO2Z2

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 12:35:21 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kz7seqtoelq7z23i5jieqvychrq4p4z7d6tuj6hfw5zdbfceheka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
29fabe5df6990ee68cfc1a5b8bdbb07d2bdd2a19a1d2b952706637d0b12e8cbd
AgentTesla
3c76f0c67f7fbfdf3a728739694eaf9e0988c13f88139d938b2b0c1833daf4a7
AgentTesla
4f368d7ff5905aeff8ff706ec195e3d3307c4ab1452608060b300f56c5e4678a
AgentTesla
502a586c38cb1dd1958f5a201aedccc8d6188cc7944f0d17f31eddabccc4d6c8
AgentTesla
8cf4d562d03815786cbd7e0fb3c18e5f7e257a216cb833b7e949a2c189ea79b4
AgentTesla
8ed339f943c618ed7d55ff92dcad7ee68dcc02753691838fdecb06db6a8e1202
AgentTesla
9926f8cdeb4894246b7db658d899feccfebcd4dce0cf55616712813cee8575b3
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
b788eb3fa4068c4846abac921c00bb9142ce5f19944553055603d1a174aed5a0
AgentTesla
e50e83c36d7a9f0bc303fba9400bc7fdbe64b116df9a7b6ff7affc0bfdc93f18
AgentTesla
+ 10'590 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ee9c583b1b879f90523e55e5e4760e2527467d29acb9b3e0c22dc9f832d44242

AgentTesla

Executable exe 567f22426e22e1fceb68ea504857023c61c7f33f1fa744f8e5b7723094443914

(this sample)

  
Dropped by
MD5 4c892ce87ef7c2f99e9a05e54a7b159a
  
Dropped by
MD5 46ba1d68f9c8b9a89c7f1744cddf39ca
  
Dropped by
GuLoader
  
Dropped by
SHA256 ee9c583b1b879f90523e55e5e4760e2527467d29acb9b3e0c22dc9f832d44242
  
Dropped by
SHA256 e058c87733690307dba65c4477c36870bed9e4901ea558cf79bd743d17bc8d2c
  
URLhaus
https://urlhaus.abuse.ch/url/335846/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments