MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ce34d5704ba5ff7da8ea8b1da109e228dbb7c0b53550e76fa545796a9a0cb54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ce34d5704ba5ff7da8ea8b1da109e228dbb7c0b53550e76fa545796a9a0cb54
SHA3-384 hash: 9cd2621444973bcc5ad25681869a0012804554df23142e8de611a13789a35bd7cc7c99b62d63afbff60b21a89e121695
SHA1 hash: b9a3f3aa034131ced30054554daed1ea16670483
MD5 hash: 7de883241847d359d051e9f5c5025c68
humanhash: princess-eight-enemy-wolfram
File name:SAMPLE ORDER INQUIRY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'008 bytes
First seen:2020-04-30 07:54:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+fsaVKk2QMIYWJG2t0R12IDKBZZ6fJHYzUjXs8yBcmMNUTq:JaVl1Ya0qGKDZ6fNrT
Threatray 10'721 similar samples on MalwareBazaar
TLSH D1A4E0AC769076EFC817CD328A641C24FA20B4BB431BE353A497169D994DADBDE011F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: quickwhip.com.au
Sending IP: 212.83.46.23
From: Liandra<sales@quickwhip.com.au>
Subject: REVERSED SAMPLE ORDER
Attachment: SAMPLE ORDER INQUIRY.Z (contains "SAMPLE ORDER INQUIRY.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 22:31:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltru2vyexjp7pwuovcy5uee6ekg3w7alknkq45x2krlznknaznka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
011a4b06a1a31fec0e9d5a013b9721f4e30f0ec963d07c42cb1d0e41c30df389
AgentTesla
069ce231194bdb4305fde084a55ad1026acaa073fcb90110b132ba27a53441ab
AgentTesla
37b9231fcbc7ea5330eebafa2fa55e8fe5cf2a0218aeece6f281a14676dd88f0
AgentTesla
42500f58701c82d20e2255ef2b3b22abe0f0f47e4dc53907c0ca8bafbe01ef25
AgentTesla
56d1018b5e98599629854a6a02b529ed5c9f1372f799747aebb0a9af9cc831d6
AgentTesla
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
AgentTesla
5bb47f4d839af90df0d747b278c69d873127d2574a3f77965f9e7787385220d4
AgentTesla
8620876c548441699597c4d832de70efc7d058313adeab79c317dbbbd9a3af25
AgentTesla
cd301ca1c374c26aca9bf5381a3b491ae384f06868617c6c16b563213854d159
AgentTesla
f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4
AgentTesla
+ 10'711 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 99fb8c3c2f8e9e5df1d9821fac4dfb82d58475c31c94d2148a5564400f33545a

AgentTesla

Executable exe 5ce34d5704ba5ff7da8ea8b1da109e228dbb7c0b53550e76fa545796a9a0cb54

(this sample)

  
Dropped by
MD5 90bc75f02ffa7aa62d995e90c4210830
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 99fb8c3c2f8e9e5df1d9821fac4dfb82d58475c31c94d2148a5564400f33545a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments