MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dba18c9e1704591fe1a96b251fdeb88e3b9d73acc49b2269dbb05f1ad065fa03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dba18c9e1704591fe1a96b251fdeb88e3b9d73acc49b2269dbb05f1ad065fa03
SHA3-384 hash: 13c68796823a76cd7be1ceede05129a46eeeea7c62edf446ca887cdd8caa123dab164c71e1ab26d62377cb74f81f5735
SHA1 hash: 7be7f73af660fc64923c3518356eea6fce39324d
MD5 hash: f8292b6a68b76625e921d04c9dbd9b30
humanhash: eleven-washington-july-illinois
File name:proforma invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:557'056 bytes
First seen:2020-04-21 09:58:41 UTC
Last seen:2020-04-21 11:06:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UjlCd53divMux5VPBv2QmAOhI+sSGXwYSKM4AeP4gF3FFYcebLRpjq/:g+fiv9vb+bKMbgF3FHmLRZO
Threatray 10'593 similar samples on MalwareBazaar
TLSH 5EC4D07E7FF90C67CDA442FCC4802441DFB7906D619EE6DA0CD1A4DEA6C8B4A4A87943
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EIXA.24507.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-21 10:28:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3oqyzhqxarmr7ynjnmsr7xvyry5z245mysnse2o3wbprvudf7ibq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0222310264dacbb6096015a467d0f1eeb076c2fe165ea32a8133812aa6a33a0b
AgentTesla
0c902be8109374df73afc935a576dc0160e537e1f9c7b7f9575797df6a772d26
AgentTesla
1f5f22781219094d138082decc3159a6874bbd606ed39c8bee9b64d104fd1c20
AgentTesla
7839460b77054cf1edfb515a1ce85dceb4e7d2478f3a3a5b17b145329c363fd7
AgentTesla
b8fa17693cfb727de11589fd50bfe87ca6b79f361e90301fe81ef9dd08e11e01
AgentTesla
c1efde1391240715573d8b65bca10e0ee302928440521ca1c138265fd6911e44
AgentTesla
d46a237de8dbad0163bd0ba95245251bc85d311f38753f2fc0adf8d436643f14
AgentTesla
d62d8662b27ebb8db5b439aaae7ae0d3fd86d83a458fdef6752dad9576038da5
AgentTesla
f70e14a49f9ddfaaf531f422e34abf77c5d856f9cfd6b7cb45609184e40f10bb
AgentTesla
f875b63a737551156a8c5be8e14ca8952f5867e02b9745dbbf833326fc5d5cd1
AgentTesla
+ 10'583 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 51d571570b5246515fb82961dfb2e867c7fc19d50ac4073fb760a82287b0c188

AgentTesla

Executable exe dba18c9e1704591fe1a96b251fdeb88e3b9d73acc49b2269dbb05f1ad065fa03

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 51d571570b5246515fb82961dfb2e867c7fc19d50ac4073fb760a82287b0c188

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments