MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b96866f87f4e27d9e92908fe39a09bd95e88e07a57bdea110113a65e77979aee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b96866f87f4e27d9e92908fe39a09bd95e88e07a57bdea110113a65e77979aee
SHA3-384 hash: 4533d9df91f4a8436c585bda276f49c4d0d4be1c924877a29aaddc83b260620c0a10e0853d30a2b23897150fb46f93c1
SHA1 hash: 5ebbca97444a613436ce9acf13ee53bdec13393a
MD5 hash: a3939d4d1a00ad8ef3be2ab128eaedf1
humanhash: magnesium-victor-high-low
File name:nuovo ordine.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:637'440 bytes
First seen:2020-03-27 10:19:37 UTC
Last seen:2020-03-27 11:32:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:81uArWBOO0wpm5PHcOPfMZN05hu8FyoBXZ8VFze5nk1Qh4O:81jWYwsPjXMZN05piLzokQSO
Threatray 10'572 similar samples on MalwareBazaar
TLSH D7D4BF187AA8F862C66F1238C0A640C557F5DF6B649FD70E4C4234EE56FE742AD83293
Reporter abuse_ch
Tags:AgentTesla COVID-19 scr


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla, targeting Italy:

nuovoordine.zip (contains "nuovo ordine.scr")

Various subjects:
Subject: Re: Re: Re: richiesta di ordine di quotazione
Subject: Re: Re: Re: richiesta di ordine di quotazione covid-19
Subject: Re: Re: Re: nuovo ordine urgente COVID-19

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFL.17499.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Formbook
Create hunting rule
Status:
Malicious
First seen:
2020-03-27 09:06:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfugn6d7jyt5t2jjbd7dtie33fpiryd2k666ueibcotf454xtlxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0adb2bff99574523019596e93ea3d4c8ec0701e43c94389560ff501e28aaa5b9
AgentTesla
1eda9e7d4d2e9846bd9de68424eb590a324bf19465a1019fca4efda13f7716ab
AgentTesla
4837818e08ee30bf269de7aea2a96c3bf5ad97dcac42a9b119011e2d9a744115
AgentTesla
4e30c34466bc79b5a233037bb7ad896604645afd2f912c41538a48b9085e75a2
AgentTesla
5f298f29f101caea92cc338b2f54805748ca316c2f29c2d1a533c28105d93b4b
AgentTesla
75c8f88c9168d6d1c227c9d97e6c04cd485a920aabc49ef1305c9aae039895ad
AgentTesla
8dedf7b9a9babc72bdd7744a378402556bac9eac95aa519ac26f945b9c7de410
AgentTesla
e070c9b84487dcd9290a34f999f51202c1ab7810bbe060a9817d437c9a7840f2
AgentTesla
e13cf5e6ff234c9b17ea31450b207f160df74b4cd0361a50b1122352a1750390
AgentTesla
ef0e3fa0b391bdc3f8a6314ba3ca48cda4cea5a8e8e75f81681d70eaf4f3e39b
AgentTesla
+ 10'562 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c86b7b1441b24a380ec94a3622420cc8ed794aa913616616b66c4286c11a8c34

AgentTesla

Executable exe b96866f87f4e27d9e92908fe39a09bd95e88e07a57bdea110113a65e77979aee

(this sample)

  
Dropped by
SHA256 c86b7b1441b24a380ec94a3622420cc8ed794aa913616616b66c4286c11a8c34
  
Dropped by
MD5 6d822fb2c9bdeda71165f5b7f936c1d8
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments