MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6964ee8dcb661e7e0cbafb20d3b48221630afbcf2168a7e91588301379568b9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6964ee8dcb661e7e0cbafb20d3b48221630afbcf2168a7e91588301379568b9c
SHA3-384 hash: 517bbd665082f2152f60ccb8b85080bf8f13b3ce72213afae856ee48ca11c1831bf0456a39f0b8cd1e3976f2abd8f7f1
SHA1 hash: 7c6c3660a59c261800d26a9949ff0d708792f972
MD5 hash: 2ba9d19954cc1a07995b4a76ece0e3bd
humanhash: oklahoma-oven-harry-massachusetts
File name:Original shipping document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:567'296 bytes
First seen:2020-04-15 05:00:49 UTC
Last seen:2020-04-15 05:46:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fslnelHo0r3Z6bikLloCjf5+0C/CrjhjJlArEJ9wlotcayn8k/Av4d8Ye2:SejoiiI0CqzlAW9lcj
Threatray 10'972 similar samples on MalwareBazaar
TLSH 47C47C9C766072DFC867C976CAA81C64EB60747B871BD203A45326ED990DA97CF041F3
Reporter JoulK
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.38705.9728.27211.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-15 13:54:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfso5dolmyph4df27mqnhnecefrqv66pefukp2ivraybg6kwrooa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c902be8109374df73afc935a576dc0160e537e1f9c7b7f9575797df6a772d26
AgentTesla
21e0177636c75a7a5742a3cdd96cdae72ec26a2d48393eea276f4ec5a40405ed
AgentTesla
3228552bf12eac0d0d241b72489b37b6f25e4f3fca6e7867a3dbc2b912f404fe
AgentTesla
3b64428cd4d6109629367e12bfec214c7285c9c1725853c65c8b81d304e959c3
AgentTesla
5ebd8c0f2000d4da534893201e61cf13b6177a2fa7349827c3d463dcf1917e06
AgentTesla
67117fc3f4246985bc6982cdfc5c76bab224966c86450e12f3c00bbd65e8f911
AgentTesla
8ed339f943c618ed7d55ff92dcad7ee68dcc02753691838fdecb06db6a8e1202
AgentTesla
8ef178d02ea6434e5982b3731f5e54c7b0c1d6023be783dac38764e87ef9cbbe
AgentTesla
d6e5b7d9bdd1ca5d2ee2153cc6955889c1dfb155b2c8caeb5536a50242848c0a
AgentTesla
f8aebcc9afaa71ce6097fb2b9dc2f412c1c98b358fce687f98f3e379216c8fe7
AgentTesla
+ 10'962 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 6964ee8dcb661e7e0cbafb20d3b48221630afbcf2168a7e91588301379568b9c

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments