MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98a3c6cfb4222c9123a5c6a1622a2ffd8cdf7d1831124cf71920c73eaf07bb72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	98a3c6cfb4222c9123a5c6a1622a2ffd8cdf7d1831124cf71920c73eaf07bb72
SHA3-384 hash:	ee9a77183295ecfe1b0812e552cb02ff7737a34b61b79ff272ac0002b7dff4466ab7694dfc7c4f74122a5c0cedd0141c
SHA1 hash:	ed2aeb76fdce26c623abc0819aa5d71644eac744
MD5 hash:	de509cd78f9a02a9a65938099c98c82e
humanhash:	bluebird-lithium-pennsylvania-october
File name:	Tactical PO 54407.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	563'712 bytes
First seen:	2020-04-23 13:35:02 UTC
Last seen:	2020-04-23 15:09:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:sK1UbEooiQbqx9RLWcVfVI1tYNlMnPr6RxJY66:4oinxzWKe1iPbxJY66
Threatray	10'591 similar samples on MalwareBazaar
TLSH	39C4BF382AEE842DF17B9F7985D46595DBBEF6223607F60D21D1038A4E23780DE6113E
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.33713179.1431.3897.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-23 00:59:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tcr4nt5ueiwjci5fy2qwekrp7wgn67iygejez5yzeddt5lyhxnza._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

224ab722b0f40b718c2cdb257231bb871b90a2d7181637a8d1558166b7d49c6e

AgentTesla

386b44b11f9f56d11742ad06c71f26bad34f475bb56aee994622853b108dd345

AgentTesla

3b64428cd4d6109629367e12bfec214c7285c9c1725853c65c8b81d304e959c3

AgentTesla

527ca131153a2edba28393f94ecf578531449b3c2f186648ed40ba5a2a2ad643

AgentTesla

75ab3e85a2efc83d400874030868b63889100dd171d79a9a7b34493758ce1d1c

AgentTesla

8ab45eb97285241116fb268afc0a0e594ac04f29f32cd62a659447a0b14e3c37

AgentTesla

bc5efe518d14b2718d94816af9dc2a74180d522d483cb20014ad5864c32d220c

AgentTesla

c282023a749f3874b6434c657c79f70f9703c3e6a57aea7e29edd175353041cf

AgentTesla

d6701c818eb13ccbaf22740946613f1e446522197f4b438cb700fb541d36f0d6

AgentTesla

+ 10'581 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample