MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 971a5e9ae9227ec480b3dff1e342ebbc811d5489b86c6733bc51a3b0519a94cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	971a5e9ae9227ec480b3dff1e342ebbc811d5489b86c6733bc51a3b0519a94cf
SHA3-384 hash:	bb54ad47d2c4f9b100edf610ce18aa83222683e22ecf1bdc579496e0a4d973656e8f926350fdb526a8b2a62b06569f5a
SHA1 hash:	b45432e2df4b5117138ce40e2252470324e63984
MD5 hash:	014cb3af573816627bd14ba463dcc7a4
humanhash:	east-venus-september-jupiter
File name:	1884H-5882.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'174'016 bytes
First seen:	2020-04-30 07:33:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Wj8al7mXzkXXPAyRf1Hd060U5CAGoE3qW4+v/2B83lLext5jd:SrBIUfHMUk533/+sE
Threatray	10'819 similar samples on MalwareBazaar
TLSH	FA45029673F53490A499E32DE4CF6854BD0313A62FE23A6C1F875B3834565898EACD33
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2019-10-17 12:46:37 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0e2ee4cd126f3d527db1b9211fbe91d7f071fce9ac8befaf1950af57e8eeeaa7

AgentTesla

11aa22e98826cc2c74889fbfc61f54d8df27d6c83404fab1c6f4d0211bbdbeb1

AgentTesla

3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a

AgentTesla

44c339f76dceed23e3bb1ec0ba2b8f7ae626877a46b50b197d3a03541cadfb0a

AgentTesla

53ce474df018a9e53b47b31bf0885fad2394c180b6231c65bad679e1eea40b92

AgentTesla

54aba7d28765c245604b0e997a94369f497b57f5d79553c7b789b20c5fff9873

AgentTesla

55fe68038a5ddb86a570d0f2bfbda999251bcb73ac2722eaa3741c43e1c6edac

AgentTesla

999d498e1b1ff886d397d4864a167c557d98f5d68251d93ceea16cf5ac55e993

AgentTesla

f0f7008d0d6c92e3030594581a932354f2a0fcbd4c71e8c1e7fc4c6aab13b1ee

AgentTesla

+ 10'809 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample