MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a4176174c6cd1b56e9e5dc37d4338bbede8af3db82c53a94e41b359bc8c98c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a4176174c6cd1b56e9e5dc37d4338bbede8af3db82c53a94e41b359bc8c98c
SHA3-384 hash: 5b0e36bff4a00257d9c0a54fec25b004bc4a6a23c14c71997f2f105aa0d083eea0450264358dbb0bfdd0554a9a389353
SHA1 hash: e84d2f358625df5bc59fcf7e4e4a5a32dd9124ed
MD5 hash: 3051e63cebc4a90b4463950a9a19e407
humanhash: kitten-texas-salami-fix
File name:jatto.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:707'480 bytes
First seen:2020-04-02 12:59:27 UTC
Last seen:2020-04-02 13:33:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:8oMtN0VRIzDZHAVGVaQsebHJTRMov8eD7rphu3gxEGCO0RgCK+sjRK8tTT7Dq:ytN9ztHAQax2dR9ygaC5/+sjMaS
Threatray 10'541 similar samples on MalwareBazaar
TLSH 3FE4D0367E42DA58CA246E7204A499C07BA3F1C73B41CB1E268E4F8D9A537CB7F4E154
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.32066.9590.8497.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 23:33:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywsboyluy3grwvxj4xodpvbtro7n5cxt3obmkouu4qntlg6izgga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
086131bf031aeeb372e3cdd11208f308854b5fc52e68186f738be9cddd01c032
AgentTesla
08f2608e738af40f8ba5a8d34435c988fad03aa07bad9d068379a3134ceaf42e
AgentTesla
3b14e1d76426cce9efbb31dc83050a145a304e91c1089a2f51f2fda8c9bb0c7d
AgentTesla
51a6d60c4bc7ef9118600cc0db492a5187f581bd28a5541914a0764fdd2a5525
AgentTesla
6824c4afb5e56e0c2b3e0b89a4acde70bcc2bd792334a6600225e623162ae621
AgentTesla
94fcc8c7fd53c5463c0d33d1f74b5c7c8c0ae95ef097477958acb9df1ae5a15e
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
d042869b3fe80a8b4c25c8b5bb76e6e66610dd313def5b0a7b35f5d44123cb8e
AgentTesla
ea00e61f682dcda07a223e3812f6b87b2182a3dd9999a6872563ea709bc2d282
AgentTesla
eeaf1a13abc40e26aa08851e533c3fe5770687b10f7194343b2110c3e8ed12e2
AgentTesla
+ 10'531 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/333640/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments