MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1985692a5adc3de0a45492ff919e4de781b2086ab152a56383a391913140744. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	a1985692a5adc3de0a45492ff919e4de781b2086ab152a56383a391913140744
SHA3-384 hash:	8702bd9bba9b26860ffa5320aa1cac73ab176153541a7098590a0eadc61325801bcc1ddbfb130d55703dbfecd81d8646
SHA1 hash:	c2757da3deb63714979c0f889027019cdcd516e3
MD5 hash:	412737637d455911583f1d457e36e195
humanhash:	uranus-whiskey-april-iowa
File name:	AL NASR.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	707'072 bytes
First seen:	2020-04-22 04:49:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4313c2d5dda101e9dd453e11d7f55ec6 (4 x AgentTesla)
ssdeep	12288:WiZLRaV3S1bXeZwUy89MobmW7lbDwsCC/RZe/lrcREa:51R0h1y82ydCC/6rra
Threatray	10'947 similar samples on MalwareBazaar
TLSH	B2E4AF32F6E15833C353263D9D4F5F6CA936BE51292826471BE41D4CAF3A382392B197
Reporter	JoulK
Tags:	AgentTesla

Jouliok

MAIL FROM:<hr@lettu.us>

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Zusy-7679709-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2020-04-21 11:37:00 UTC

AV detection:

28 of 31 (90.32%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ugmfnevfvxb54csfjex7sgpe3z4bwiegvmksuvryhi4rseyua5ca._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

134e6a89707dc09ee15ea58d2baac9018799421feca11db0c6549aece445be33

AgentTesla

16bbd94e573b34e7b246d3f4e2c02d56d12bed0ed514377c9c855e2031c5092d

AgentTesla

2317f17463f1afca13682f949cc61f1d6bc123e681d12a7d645216a0650eae87

AgentTesla

6ce82de9b05b1a5e2cee73e45292f3e06aa8df33c904724ea5f5bdd536d44c39

AgentTesla

765d4e32e33979b9ee122877162ddb3741a2cc7df514b96b637e28651399be70

AgentTesla

7c124384c122263b3c98e2cd1208ae98d8964e1f0d3fc08b326fd62cd75bc59a

AgentTesla

7dd1ac7e7f7f3a85ebdcf6337b4f83dee2e6421ee4373e6328c08d8a0854ae9a

AgentTesla

91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba

AgentTesla

f3141eb0d06d4ddce695865bbd38b6d1c9fa564d3ab4a9f1a5d1c0bb9c9931cc

AgentTesla

+ 10'937 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	kernel32.dll::WinExec
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample