MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 896152b5c1395d1a5cc2b9e57583cbba5d8ce128419d86dcdc7bd23f54bb19d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 896152b5c1395d1a5cc2b9e57583cbba5d8ce128419d86dcdc7bd23f54bb19d4
SHA3-384 hash: 8432b9446b56fc5d2bda2312093eaa7a1e0c911b08004158290805fd4759445640edc8af3aab9afe7002bd23f22cb2d4
SHA1 hash: c6d94d801e822f05695ae373191c2a8c78df8d72
MD5 hash: 9465601a7ae64881dd90d5e1a8f89370
humanhash: pizza-finch-north-item
File name:Shipping Documents PL&BL Draft.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'000 bytes
First seen:2020-04-01 06:41:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:3MtN0VRIzjSVtVaQsebIpySAuYMKPeWwg2pEyorbIPZDPKR15v35GuupVz5g:8tN9zjg3axNCuYt32eFEZuR15vp6A
Threatray 10'758 similar samples on MalwareBazaar
TLSH 20E4BF12FA01C694C610227244EDADAC6723F9C723528A1E764E93396E73EC7FE4D94D
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.AgenslaNET.1.21596.29397.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 07:35:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfqvfnobhforuxgcxhsxla6lxjoyzyjiigoynxg4ppjd6vf3dhka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07010b2ea440279383896a6adc1512f7636d73f060fd10adff51b45755af9152
AgentTesla
077ea1beb3d55288fae709ca1656bf8ddb08fca31dd675ac81de3980b7b3eaed
AgentTesla
312de3802dada78c710b868a26d744dc65991de475bc741c21c5714a84977813
AgentTesla
4717695c89cf6073f6fb151303d347d706a194db743857cc09a2074d2437889f
AgentTesla
4e0b4d0f9eb54314d659f34847e8f422b1e6c41ce5ffb11ae1b3ae0f0c44ac96
AgentTesla
56ab1237a3aed66ebe3a7464794c1bf41c40596456f92926f6d49e482922ebd1
AgentTesla
639c8ee41234dcab34f5b8b53650f5e8ffaf78d50ccbb1ee807b62c26be770af
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
b8d0aaaac4f35677e4817853585a51dbdcd93cd1a35081e24557107584f318a9
AgentTesla
f7216d025821af6be807018f12db7c5a5bd3cd21ef0176b02c6cbe0f05ac4cf7
AgentTesla
+ 10'748 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 4a1b348b72e3da588d936d79677a83f49afc41e0cc9aed27c5041a89383be25a

AgentTesla

Executable exe 896152b5c1395d1a5cc2b9e57583cbba5d8ce128419d86dcdc7bd23f54bb19d4

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4a1b348b72e3da588d936d79677a83f49afc41e0cc9aed27c5041a89383be25a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments