MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9f3224ab5b74db881ce36d3177812635ee6accae03a86c5beec94c095eaa105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9f3224ab5b74db881ce36d3177812635ee6accae03a86c5beec94c095eaa105
SHA3-384 hash: 1e78f6370cc064ff515e1cc019a8cbedbf7b0859d5ba57ec9e3427489977719301d1ff517fcec060efb45d734fc169e1
SHA1 hash: 19239ee77cc6ba85475fa8d2740ce76fd16bfeda
MD5 hash: 73d6a6205b1559f404aca2d96cfeda30
humanhash: stream-purple-five-texas
File name:Purchase Order_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:471'552 bytes
First seen:2020-04-14 14:19:09 UTC
Last seen:2020-04-14 14:58:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:vQdhwDMdk8/09m/4qYXlt1u6ZrnxdhNT/GMWfEbdMrkIQDXfwuR:vQdhvdk8pRmt1uor2lfEbbRbh
Threatray 10'649 similar samples on MalwareBazaar
TLSH ECA4D0602EDC6911D1BAAE32AEE5D053067D39538C4BC76F08980EDD58B3742AF9353E
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.38314.24988.29295.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-14 14:18:50 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xhzsesvvw5g3raoog3jro6asmnponlgk4a5inrn65skmbfpkuecq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0254f414295e7637c690312621a7b21586d531bdfe058abd870c29587890b72e
AgentTesla
03f5db6aa8252bf8ffaaf6a9e843567ba4bf228bd3309449b16e03e303fd7c12
AgentTesla
1f5bb60370685b8fc740cbc717e01d25d4c3443fb25880d5dfe2d4af32fd49a6
AgentTesla
29037c1a2540247e57f8322e2816cbf9dc49916aa3ea824ba1bd07dbc83c8e3b
AgentTesla
3e126eedc02526ba804d9351d6d9b1a6da2114510f98b4235662ab6fdb024bbf
AgentTesla
4410537e13a01896bab12528953776427755829a7e483890aaafd04a12fc23ab
AgentTesla
5b0318eb9cce4cbe0d3b9e157e018efe32ef71008472f5e5238f1939361ba96d
AgentTesla
af0e59dcbfdc7a8b1a13748ab6e392d165e6b91f0a1ac946b3ea7dc3cbb4fac5
AgentTesla
afa35fe4f4123c181f93d54914069a0e4f4ce56aa30f8051b2eec2ea66a0881a
AgentTesla
ccf82f0f1e542d73385df3b68f7e9fdcae3d9e2a091ea879602ba287b0199203
AgentTesla
+ 10'639 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments