MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccf82f0f1e542d73385df3b68f7e9fdcae3d9e2a091ea879602ba287b0199203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccf82f0f1e542d73385df3b68f7e9fdcae3d9e2a091ea879602ba287b0199203
SHA3-384 hash: 7ba69941311f1102f89eb9ee4610653bde0dc74149d288a39def6424f59626c9f1ed77b66f81cb8ac1303b87f3705def
SHA1 hash: 22fc60df7bf113fb67f349f2f23243bdc75cea19
MD5 hash: 9c7be5184e4791e825515ab678da3d13
humanhash: ack-montana-triple-green
File name:RFQ and Company Profile_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:369'664 bytes
First seen:2020-04-16 13:47:10 UTC
Last seen:2020-04-16 15:01:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Ykkwncv0EkiluaTKtjsauEjGUajqCp7GMiQGtCd8CuLmRcCV/LIRDALNXvz:YkkPcoZWhRjGZV74tCd8CuLmRjEZA
Threatray 10'645 similar samples on MalwareBazaar
TLSH C574BE024FAE5A3BE165B776293DF12952F6D866C6965F0F02C80491DE837CB3A317C8
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.47352.2113.5113.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-15 22:20:00 UTC
File Type:
PE (.Net Exe)
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zt4c6dy6kqwxgoc56o3i67u73sxd3hrkbepkq6laforipmazsibq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0254f414295e7637c690312621a7b21586d531bdfe058abd870c29587890b72e
AgentTesla
0702729c34578ee78cf3cb883ee298fc4aa67dbb433981790605e4e4afb642ff
AgentTesla
1f5bb60370685b8fc740cbc717e01d25d4c3443fb25880d5dfe2d4af32fd49a6
AgentTesla
29037c1a2540247e57f8322e2816cbf9dc49916aa3ea824ba1bd07dbc83c8e3b
AgentTesla
3e126eedc02526ba804d9351d6d9b1a6da2114510f98b4235662ab6fdb024bbf
AgentTesla
4410537e13a01896bab12528953776427755829a7e483890aaafd04a12fc23ab
AgentTesla
5b0318eb9cce4cbe0d3b9e157e018efe32ef71008472f5e5238f1939361ba96d
AgentTesla
af0e59dcbfdc7a8b1a13748ab6e392d165e6b91f0a1ac946b3ea7dc3cbb4fac5
AgentTesla
afa35fe4f4123c181f93d54914069a0e4f4ce56aa30f8051b2eec2ea66a0881a
AgentTesla
b9f3224ab5b74db881ce36d3177812635ee6accae03a86c5beec94c095eaa105
AgentTesla
+ 10'635 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments