MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e93f94c0bb264f3323526dcdce4efcd7e74a95f8d5b2609463a5d27c4b1200cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e93f94c0bb264f3323526dcdce4efcd7e74a95f8d5b2609463a5d27c4b1200cd
SHA3-384 hash: 1c7acc07e189bf89b5953c3125ec73de10d47a6b8606ce7706ac5a372461c8357769f5d55fe1fa39362c657e1741e3b0
SHA1 hash: 6f611ae6de6ecc07595f61b435107e8fec6b52b4
MD5 hash: e2cf9e09f7fac4cea81cc2c2a9b6e3d5
humanhash: india-lion-georgia-yankee
File name:b707c1d36035434ab8f158473e13ecd4.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:297'472 bytes
First seen:2020-03-26 20:15:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:U3mm74Ab/LrjZZ2M8mspQ2Hiqg9GXunbyKoWTV:U3mm7VLrFzuCoWTV
Threatray 10'401 similar samples on MalwareBazaar
TLSH B9543A7D6B88B902F73D593289D1666066F290834D22CB0F6EC41FFD7E527CA2C4A395
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1V15R8ypo2c6O19dw5yr9_SrZyi9szlst

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-03-26 20:35:38 UTC
File Type:
PE (.Net Exe)
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5e7zjqf3ezhtgi2snxg44tx427tuvfpy2wzgbfdduxjhysysadgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08fdccf1656b70f8bf5725536429039d536e2fa060ed2b1d689649ffb57e2cbd
AgentTesla
1233735628e647af2813825a96eda3efeed3101426058e1698aea0f55c7407e5
AgentTesla
143940bf5affcf82143d14f73a884baa3eb9e7bdde11f992d9147b9b7997a7d9
AgentTesla
20a94eccb531b9e7db7c2f15b4b02661781688b26407d8cad53ed9c3e1b16f88
AgentTesla
29fabe5df6990ee68cfc1a5b8bdbb07d2bdd2a19a1d2b952706637d0b12e8cbd
AgentTesla
5ecfea430f1801299be4a50346c041ba396e4b7e30f635f7ec579ebf56328d80
AgentTesla
67280c8037e45ad089dd27b8c21fb346a03f49a2026a1c2c4eeef8d86cc00e9d
AgentTesla
8ed339f943c618ed7d55ff92dcad7ee68dcc02753691838fdecb06db6a8e1202
AgentTesla
a59a2b2b84339c4fbba14da12e9bb5235e6aa54ddba5ecb3507769da39d70236
AgentTesla
b7f91e8b80d469bdd1ab452b999a839daff2bd5deb86d24d9a197e7a2941b604
AgentTesla
+ 10'391 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bf27cc99e1af46860a3d6056390c6ea6487cb4f27a5eafca40d25032cbc1f7ff

AgentTesla

Executable exe e93f94c0bb264f3323526dcdce4efcd7e74a95f8d5b2609463a5d27c4b1200cd

(this sample)

  
Dropped by
MD5 b707c1d36035434ab8f158473e13ecd4
  
Dropped by
MD5 29502ba48efa90d9542d33a398556259
  
Dropped by
GuLoader
  
Dropped by
SHA256 bf27cc99e1af46860a3d6056390c6ea6487cb4f27a5eafca40d25032cbc1f7ff
  
Dropped by
SHA256 8b49dc1d4e23045d05b9a5cba7f39af37e86ed6bda954c0fa616ec5af0826496
  
URLhaus
https://urlhaus.abuse.ch/url/330889/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments