MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b04212fb1aeea566fe8268a73e7449addf9fc0c09dbebec6fae9cebae9834c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b04212fb1aeea566fe8268a73e7449addf9fc0c09dbebec6fae9cebae9834c3
SHA3-384 hash: cfe3974501cbc677ce73511253b818a81cfb53b05c46ec42e1992b45770d78b556a78af92e080a1cbb422cb9a70468ca
SHA1 hash: 35b77d37f1a83a426cae51ff42d0186f82eab77c
MD5 hash: 080f2be3c33dc4bd8e9346378426deee
humanhash: delta-idaho-alabama-lemon
File name:New Order #6546_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:743'424 bytes
First seen:2020-04-30 08:37:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:P85GmezZ4LoZkuWKOWPJl/MzOyrLwCCCEz5/+Hiodh6KhV/poAlfI3zLrRQlGciR:iMyWPgzO4LwCCC
Threatray 10'566 similar samples on MalwareBazaar
TLSH 07F460AC326171EFC857C172EBD85C65EB60247B531B8A13E05302B8AE4C987DF661F6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps1.imagaza.com
Sending IP: 188.165.205.198
From: Purchase/Rolf Mayer <purchasse@ansamcal.com>
Subject: New Order #6546 / 04-28-2020
Attachment: New Order 6546_pdf.rar (contains "New Order #6546_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 09:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tmcccl5rv3vfm37ie2fhhz2etlo7t7ambhn6x3dpv2ooxluygtbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
55a99c172ecc21abb477851da63336dbc01c67bc90f11d08dacd3ac2995e82be
AgentTesla
6920173eb3c5031387b852bd2dce1bdce04ed1199b914b72a009fe257d7e6766
AgentTesla
9b31ec2416aaf3b9d3490dc46a2b4a925f42165685b4adf828289dade16c5205
AgentTesla
9f86e4c1e6b8dd93f705c769d056d73f0f7b28f92b3925ba9a9aee9d3505c5e2
AgentTesla
9fb5e1d1b16b1a20d4994176d4579a90dd2e0a87b0bb6cac123e9894278f61ee
AgentTesla
b2c9554320dfb016f84d544425222acef4bf674bea6527f027c36bc56f301d80
AgentTesla
d3955b520c38bb369e6d3c5e3304fb29e4699cec3aa549fbb8b7f7fe137abf5f
AgentTesla
e1ff7c1f8ccf2e6d990d34158fe517a1ec41c9208d07888d571fa52d3d398c5b
AgentTesla
e4edb75adeeb77973b20f4e65a287125f2a12d53e9a1ab647d5737234bcfbd70
AgentTesla
f1c58bc5387daaca15abc7de2e134f79d9e6371474025be61d9300fbf6b8fc32
AgentTesla
+ 10'556 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 51145509f9005a131cca5866511cd72dee4e0dfe67e2f7139ab1870a9fbf38e4

AgentTesla

Executable exe 9b04212fb1aeea566fe8268a73e7449addf9fc0c09dbebec6fae9cebae9834c3

(this sample)

  
Dropped by
MD5 34121d1ef6770eb390c6c788d164fac7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 51145509f9005a131cca5866511cd72dee4e0dfe67e2f7139ab1870a9fbf38e4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments