MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba
SHA3-384 hash:	b89e17598e760aba436b52b364e4bc095fe4c623d013333ad9b7af98dc0a771ee1a1575fcdb8a5823ae180e2bd6cd494
SHA1 hash:	ae9e88c5d31e63e37d87b3869ef256f201513dd2
MD5 hash:	cf31acf91fdf7f838142e6157fdf1da2
humanhash:	three-skylark-bacon-pluto
File name:	SKM_754e20040710271.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	535'040 bytes
First seen:	2020-04-07 17:25:42 UTC
Last seen:	2020-04-07 17:41:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b8e2c3699cdcb2cc60f4f0484f104f80 (2 x AgentTesla, 1 x AZORult, 1 x FormBook)
ssdeep	12288:m09l3zaV5i79eSHI5FbcbNxCCqCP0PmBH2L2:m09x+VgW5FbS4Pmwi
Threatray	10'982 similar samples on MalwareBazaar
TLSH	D2B4E1203A80CC33D1662230C5A6DEF14B7A7C319E515B5B7BD5AB3F6D30282DAD5399
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.LokiBot-7665516-0

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-07 17:25:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 30 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sg3rdajim6zzkn5czwa3wgvramk2ymq2druogfv7j6uexln4bg5a._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

188cd2049f2d511fbe6ede085f60214b76f73125a16165026d4e4d392f1a721a

AgentTesla

2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d

AgentTesla

27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b

AgentTesla

3819948505ca931701228dae2e36089ebf01f7afcabe446f71568785063b96b0

AgentTesla

95178efcb1e75d4c32fb699431765c5b5a1618352ccd287e94e304a8f2555b66

AgentTesla

9ae86a8d428c98444aac846e32e8476a9590f9c4219d3b132b2ee04e3477fcc2

AgentTesla

a1985692a5adc3de0a45492ff919e4de781b2086ab152a56383a391913140744

AgentTesla

a92518585c0fb5eccc1a87ce6e1147ec96b02fd6a773a66377af484e3ce4b669

AgentTesla

e2bdd739217aa553bf65093d6b5c714bf22a43370e328c764f209d50002c3cbb

AgentTesla

+ 10'972 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample