MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a92518585c0fb5eccc1a87ce6e1147ec96b02fd6a773a66377af484e3ce4b669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	a92518585c0fb5eccc1a87ce6e1147ec96b02fd6a773a66377af484e3ce4b669
SHA3-384 hash:	22cface3339f7533808fb0f97c704bb4c4b2ac1a499c7c60450f0035fb0d9141a1284f434481afb7a2cd7de2e87ea62b
SHA1 hash:	4f82b548851ce2b76bce33b11dbede9241a90d87
MD5 hash:	79f2d7d1ec8f6dc08f6fe89668aabf6e
humanhash:	single-football-solar-tango
File name:	New Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	760'832 bytes
First seen:	2020-04-08 14:00:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	109c5912df9a73e05e81620809756113 (2 x AgentTesla, 1 x Formbook)
ssdeep	12288:n2m9mygck7g4++RWR7imOxL80hHtlYpkF4uYfbLypCvkYOq9aNUk:22TgBtmRfOV3HtmpkvYjWCsYL9ab
Threatray	11'100 similar samples on MalwareBazaar
TLSH	F8F4C032F7A05533C163D6795C0B676CA83AFE1029686A8F1FE51C4C9F39782386B197
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.LokiBot-7664572-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.PWS.Stealer.18836.10292.5784.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-08 13:59:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vesrqwc4b626zta2q7hg4ekh5sllal6wu5z2my3xv5ee4phewzuq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

20d9b3f41efb5490b00ffa6a8836dc9f9d379bbf1cce07fd022f641d162649bf

AgentTesla

27939b70928b285655c863fa26efded96bface9db46f35ba39d2a1295424c07b

AgentTesla

32b9acce63789d2b83866bca1e45f827835ce2f8c2c61fe79d809c441153058d

AgentTesla

3819948505ca931701228dae2e36089ebf01f7afcabe446f71568785063b96b0

AgentTesla

4b21c5534b916f8343417fc50caca0b7396bbb6f4d286cca0be01e8e33d7be7e

AgentTesla

50f97348240541a6a7dbc56c75db5639b5b6bd28bd2c23fe655a147ef2b3c566

AgentTesla

91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba

AgentTesla

af7f679b0251817868160bc51e3bf1d28cab5947639e8eb89dd6aaabbb9a583e

AgentTesla

e2bdd739217aa553bf65093d6b5c714bf22a43370e328c764f209d50002c3cbb

AgentTesla

+ 11'090 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::GetFileAttributesA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample