MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 812a22333a1389c9f87aaefc126f20c627c234b71da605c72e67bb28ad15cce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 812a22333a1389c9f87aaefc126f20c627c234b71da605c72e67bb28ad15cce9
SHA3-384 hash: 0d8f277f1185b99a091ec1bae5c5ced2dbf889ebcbeeb1e9c25fd107d5a215333f9344261b5dffdeaa8e39c717bf1b08
SHA1 hash: a9be4095fb9ea7a0a29acf165dac9e07b3354c3a
MD5 hash: e574e575385c2152cc9c5c7fd623e3b4
humanhash: stairway-football-carbon-five
File name:Advice Payment.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:448'512 bytes
First seen:2020-04-29 17:14:04 UTC
Last seen:2020-04-29 18:12:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:NZm3roDVHZf1cLP5CIwkygjxq6yyelVylqS19wIsE5pR+RJx:jZH58P5dNJqFO9wIsup4Rn
Threatray 10'637 similar samples on MalwareBazaar
TLSH 219412FC2609233FC66A01B9E2838D40B3F451B6D106F3E91CEB6A5D16ABFD46855783
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.kentextrading.cf
Sending IP: 45.66.250.152
From: postmaster@kentextrading.cf
Subject: Advice Payment
Attachment: Advice Payment.z (contains "Advice Payment.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43064784.23616.4218.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 02:16:46 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qevcemz2coe4t6d2v36be3zayyt4enfxdwtalrzom65srlivztuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b1cfcb20bb2ea0a73543fcdf309e6110bac1663c05fe1e1b334fd4351144db8
AgentTesla
205c64751a28eba3128dc0d7a6f15934caef963bd2cfcd5898f0b7b22d72cf08
AgentTesla
42500f58701c82d20e2255ef2b3b22abe0f0f47e4dc53907c0ca8bafbe01ef25
AgentTesla
47e1f71185f193d015191dec0fd981e6591780a336115fe14638b74031531ac8
AgentTesla
5a06f053014f58149aaff3aef789579d02ee6e1881e89311320dc0df3ae1d674
AgentTesla
69477d03d335e9dc9f9de2e656d8ef11d8111ca35fbc37008a3e2082efbf5af2
AgentTesla
ab63d78243683e8f00bd7a00b3e0ba6867a86bec1abb6b67b24ae3ff9cb65ac9
AgentTesla
d9f827863726fb21fd036363b2090e4454776b3ee1a4665d004da0eaa05126e4
AgentTesla
ed591e1c39a3ba9a2a785f8d859755e54dcb9308288222148b79a6cbff690c0f
AgentTesla
fcc68c78e81eab01751ffe299b6213e6dbe994a6d197367000371e82a4ac0a41
AgentTesla
+ 10'627 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 97a3fcf10e3093dcf46fe0c96e371d276f1d04526dc4b327b5139ea66969d0d4

AgentTesla

Executable exe 812a22333a1389c9f87aaefc126f20c627c234b71da605c72e67bb28ad15cce9

(this sample)

  
Dropped by
MD5 78e8e1e6ea8fc2c7b1889a67be442915
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 97a3fcf10e3093dcf46fe0c96e371d276f1d04526dc4b327b5139ea66969d0d4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments