MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4531baa7e8d734053583c50256fa9f26d5fa8f86bcd86860b26516f1747fc6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4531baa7e8d734053583c50256fa9f26d5fa8f86bcd86860b26516f1747fc6a
SHA3-384 hash: 38d58f7b5739ff98cbde35612637a2dab08e6661b6805ad1d226bc805524ffbf17446e40e47e09016c207d346395de80
SHA1 hash: d821b71f790e135f7b01109e2bf37a8d8eaeb262
MD5 hash: 53d5c3c72ae0c8832e40f008205ee4cf
humanhash: summer-lamp-shade-stream
File name:BITCOIN MINING.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:753'664 bytes
First seen:2020-04-05 06:00:10 UTC
Last seen:2020-04-05 06:46:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fOB7RtHZckRVjBGr+4mEMmJE2hBF/NZmHGkbI5sfCqzfAt8mk2IGFiJZ9:fq7RVyEVVGr+49J5BFTKGkpzfAEJGFS
Threatray 10'864 similar samples on MalwareBazaar
TLSH 4DF4F11035B69E21C77D4EB289631040CFF557BBE926D7CB1DC928EA10ADF890A81F67
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33612426.676.6441.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-04-05 06:38:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6rjrxkt6rvzuau2yhrick35j6jwv7khynpgynbqleziw6f2h7rva._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c902be8109374df73afc935a576dc0160e537e1f9c7b7f9575797df6a772d26
AgentTesla
306f60a415f3935c8eb3e3d13fa6957f8ab8161e0818fc93850d54f0f69d0b3f
AgentTesla
7b0682f987e2856b5ccdb1c31fc5ac81df44c270940d71b3c403a9f361191afb
AgentTesla
976629ac91461654a2eef821bc19b42d547cf584c571cb214a90f7b8e7098341
AgentTesla
9c05da35b9f24c43aebafbffe27c556ec9310bc6caa520af20b1ed0edf2198b4
AgentTesla
af078dd29518dff5e63761879d05deff52166e3d925575082b27eff2c531c518
AgentTesla
b6e08f1f8abd164ee0fc23af8d7bafa881833e2cf7101bf60dd4cad31cdab790
AgentTesla
bca4bb062bec354c21f07300bca545b706478e056b3bb71f3ce41fdb589a26a5
AgentTesla
d41f0d16f59cdbfe25cc61c6659d089223c34216fa3e78e2313d65a254e6f66b
AgentTesla
fdcfe91ecf3940c58623a8e641bbb8065ce851de470f17c98bba19b9d05b0832
AgentTesla
+ 10'854 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 20621a69b7aad8d56fe362c40b21bba9abfe44a8ff42865dcee85aa96c577309

AgentTesla

Executable exe f4531baa7e8d734053583c50256fa9f26d5fa8f86bcd86860b26516f1747fc6a

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 20621a69b7aad8d56fe362c40b21bba9abfe44a8ff42865dcee85aa96c577309

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments