MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a59a2b2b84339c4fbba14da12e9bb5235e6aa54ddba5ecb3507769da39d70236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a59a2b2b84339c4fbba14da12e9bb5235e6aa54ddba5ecb3507769da39d70236
SHA3-384 hash: 98c4fb2304ebc313d8f68a2f8c34d43cc3b9033056f2abafcb5410158d296fd13307a38e47c8fec206256d9ba0e848e8
SHA1 hash: 532d745d9758686c784b58d7f0c21947ea314cea
MD5 hash: 093c87da8ce590af082b06e3bb825a09
humanhash: hawaii-stream-yellow-foxtrot
File name:1ed060719b788bba8b276350f4e89813.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:297'984 bytes
First seen:2020-03-31 16:40:33 UTC
Last seen:2020-04-02 17:20:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Hd7m8hJvNOLxT0Am4E41K6UX3gDQye9GGZ1bN0oqTl:97mwNqXH8vXQeOoqTl
Threatray 10'481 similar samples on MalwareBazaar
TLSH 5F542A7D2B88B902F73D5D3289D1666022F295834D22CB4F6EC85FEC7F567C9284A385
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1e-gYqr_UgZsyY31ZW40U-CpRRW15-_TW

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 17:55:52 UTC
AV detection:
28 of 47 (59.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwncwk4egooe7o5bjwqs5g5venpgvjkn3os6zm2qo5u5uooxai3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08fdccf1656b70f8bf5725536429039d536e2fa060ed2b1d689649ffb57e2cbd
AgentTesla
1209aa815dfe8b00312a574dbd65fff52b4ea96abd1657572ac76a1e0e788f95
AgentTesla
216a6e8acfa930350c156cdc047088ab9bfb9cf1f490771293427f490daabe72
AgentTesla
2836e2f050c5ed948fb0652dde8eca6e867cb25aaa835d8b58738ec251dded5b
AgentTesla
3b579b5c48b467cb0e3a3b28773a63ce90b11a87f4baba15b98d0af36291a314
AgentTesla
577c53f979f75e226ccd9908f2aebb38fe38667a53509565ae906b5a6bfdce28
AgentTesla
628fb13f63d68b25083522f21c084fc565fd8fe57e05b95b35b76ac01fdbf5ff
AgentTesla
89f5773de397e09275d7d02812ec937343e878030232964061bb6aafdea5ccde
AgentTesla
8f8f28f5eee0d7e5a4bf151528beb476347dd84c94ef721675237f00e391c6f5
AgentTesla
e93f94c0bb264f3323526dcdce4efcd7e74a95f8d5b2609463a5d27c4b1200cd
AgentTesla
+ 10'471 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

489ef4f74e826ec3cec241c1e16f529e8cc5260bc3daa0610002a520dc21037e

AgentTesla

Executable exe a59a2b2b84339c4fbba14da12e9bb5235e6aa54ddba5ecb3507769da39d70236

(this sample)

  
Dropped by
MD5 1ed060719b788bba8b276350f4e89813
  
Dropped by
MD5 ddcc83636e6e0195fd23b6449afe165e
  
Dropped by
GuLoader
  
Dropped by
SHA256 489ef4f74e826ec3cec241c1e16f529e8cc5260bc3daa0610002a520dc21037e
  
Dropped by
SHA256 d54352ec5abdd8ab5ce47099ecd4b3145d84feba09287fa86b44cb143fa347ec
  
URLhaus
https://urlhaus.abuse.ch/url/332784/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments