MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cf4efab1c2a7131e8335b8439e8b1c2da51bb9417bb90c8b63c08b9f2fec205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	5cf4efab1c2a7131e8335b8439e8b1c2da51bb9417bb90c8b63c08b9f2fec205
SHA3-384 hash:	0f21e21626619eb7718f7277e849a91eb091a2255152e25b0feefc8e03bb23f70354cd62773ce98d3d3b717273fe362a
SHA1 hash:	b2ec8d2e711625f573696755316b290c8686f775
MD5 hash:	fc2d4ca730242c4a464788e00655e646
humanhash:	nevada-oranges-friend-virginia
File name:	Swift copy_pdf_______________________________________________.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	423'424 bytes
First seen:	2020-03-30 14:23:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:2Zt8d2G/CvWpKKDW6fmAPaQkNMrEmwEflG:yWDWImAPaZNYfQ
Threatray	10'733 similar samples on MalwareBazaar
TLSH	1B94020A76E8261BCA7CCFF8245AA05113B1D3A7B5D2F3D64DC1A0CA5ECB7744B42687
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Mal.Kryptik-DL.31932.11696.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-03-30 07:46:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lt2o7ky4fjytd2btlocdt2frylnfdo4uc65zbsfwhqelt4x6yicq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22c79b1b5f13a1133cbff7f937d3f87e03e7d5b335674a776a8a5baa2d72e334

AgentTesla

4436caf91d33d8044d493dda9265fb32c40816f2bd80ae40ac3697bb6605e2aa

AgentTesla

453343ee05918e52f2f632b392dbbae994901b1c9cf244ad60443162085baa91

AgentTesla

8022522744293ee1ca7408866ffe63cbc5ca0a7bf4db49d1a2a739ad7b514bb8

AgentTesla

9539edd2ef18098078d0835ecd1f4e5e5123eef9a3931f3e989fadafb95574eb

AgentTesla

a0e7c96b3d8c83441f059cb09fdf64a5f3b405b1869633364b41635c5e44ee03

AgentTesla

aea689ba7c4adeda5bafe6b669ed36942ef4b7a8ea9739b2af355e44980ee73b

AgentTesla

e90a2fa16211a100579e02c61747a1203a7dd71812782cc94eaa1aa70ef0e76a

AgentTesla

eebb3535bc914313c2e0f55c00d50be9aa838900bb7a0a60caf3adb73eaa06af

AgentTesla

+ 10'723 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample