MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f31b8a6cadf10ee7c20d5bb1ae1c3c009a305ae7e17df33912eed70098a4bc62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f31b8a6cadf10ee7c20d5bb1ae1c3c009a305ae7e17df33912eed70098a4bc62
SHA3-384 hash: be1e078b1411a819c59069c54efb3c8d2d57c8227f5336197760727552db32f7dd6cc44c6e1c868e41a8373679014caa
SHA1 hash: 4a3756721c683e69476296e4bd664c88dcfb1627
MD5 hash: ae579e96a7ce8f77e31118d4ae0a7bff
humanhash: robin-papa-failed-sixteen
File name:dded910ff442d3314400dcd0e7e699ee.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:299'520 bytes
First seen:2020-04-06 09:15:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:xI5MGf8hxoI0ApltHZ/XxJUGI0MrBI++58LbSQOM:xI5Bf8hd9EcQOM
Threatray 10'603 similar samples on MalwareBazaar
TLSH 32542BBD2B98B902F23D593385D1622592F1D0839D22C30F7EC44FF87E617D92A497A6
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1-oABThuFsnkg4zSME6JGpnZMWcavHifR

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 09:48:32 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mnyu3fn6ehopqqnloy24hb4acndawxh4f67gois53lqbgfexrra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03035f39055dc379e10a3f7a79092877c022272c9fb14116c44bd9d3ed637655
AgentTesla
345ef8849cbe5eef544828b73480fdd7f64e2dea39c2764d5a7491878755118c
AgentTesla
4297b0f564c12f9b864cb9c48b6b408ca13349dcc557c3243fe398d4921a8a8b
AgentTesla
4b7062e9320bec266f0634e17a82e44e5b4593b74242ef48c5f430d84fe9f379
AgentTesla
6bdce9236cb2c45000de6d3b5c8253d4f247c68d802f990e2f244d03d93d9df3
AgentTesla
7a3ccb191798f72fb41fb65d66efe2ffc82c848bf1a6d96738a4834a51d71761
AgentTesla
7e674e875d063765fdbb9b7bb4ddffd35f1617a82099e7e791f8c8273c8e8f1a
AgentTesla
cdbbd0b8a60076d5acc56645fb9c09622e32b878f0a8c6201db7c87f5bf09631
AgentTesla
db183fbb41e6ac88f64e72c8b5b21ff971530789ff2ff1df1f5a8d8827b4ded6
AgentTesla
ee7e73942f7e98f086e9abe234870e07bdd2dc36808c26b8c84f434e2c4fa4c1
AgentTesla
+ 10'593 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

GuLoader

Executable exe 048455f6416671249ff633c4a0525bb6bb2d6d871de7b74438247c719c2b2103

AgentTesla

Executable exe f31b8a6cadf10ee7c20d5bb1ae1c3c009a305ae7e17df33912eed70098a4bc62

(this sample)

  
Dropped by
MD5 dded910ff442d3314400dcd0e7e699ee
  
Dropped by
MD5 87a8c423bc3b19e661340eda7e0f74e8
  
Dropped by
GuLoader
  
Dropped by
SHA256 048455f6416671249ff633c4a0525bb6bb2d6d871de7b74438247c719c2b2103
  
Dropped by
SHA256 b308d1a4337890566d367dc14a4029644d955831ecbf8f6baa24bf3418c69b61
  
URLhaus
https://urlhaus.abuse.ch/url/335849/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments