MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdf438f4554b9b5184dad63af814f9acd88617df374a2e618294523f1cb7e350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	fdf438f4554b9b5184dad63af814f9acd88617df374a2e618294523f1cb7e350
SHA3-384 hash:	e1602b2a48ecffdac85f2052bb210dd2f92a8f2510ea306c36bf05cdb95798c10bb188b6b3d2b8b062a3274eb4824d19
SHA1 hash:	c13e2245727a30eee07b42344b744c0a05c266fe
MD5 hash:	56bc4649c44fdc3d86ed1f3529923d9d
humanhash:	bakerloo-asparagus-one-india
File name:	Products_Sample_List.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	388'608 bytes
First seen:	2020-03-17 13:19:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:aOYXZ+fi/SkOTvl1OztgoXO/aoxJmbvnhmo7wtXgUght34q6XjIAw+cM+aqWGoN4:+pgiaZhWtxXYFJ+nhHIQp3rqEAwVM+a8
Threatray	10'181 similar samples on MalwareBazaar
TLSH	5784122AFAF5C7A7C9B953B15AE3175097B8E40E5402E31A1CC67ACF5A30B40AD10B77
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Win32.Wacatac.Cml.13836.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Fareit

Status:

Malicious

First seen:

2020-03-17 20:03:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 30 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7x2dr5cvjonvdbg22y5pqfhzvtmimf67g5fc4ymcsrjd6hfx4nia._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

133a4e4836245a58ec3415472f0f2c31c40c2c1f013321d77af5d6e6d1c1dea7

AgentTesla

4b8b49bdfa435d0faba2e3964b04e20bbfc86aa4ffc3c3b8e1449894892f125b

AgentTesla

6d58c8e531d65f5713f19a8caf7b6ac0f4ce25adf29a3b96aeee7de4045f409a

AgentTesla

8e26ebee195d4120b62cece46d79a74989b899f3c7bda83a14c5f273cd3f098b

AgentTesla

913c3c055acbcc86b156ce14faaac21a4aeb2aa884c4968397b632d143fe318d

AgentTesla

bf0608df4ec33356cccf0af528cb8272bae2d3e86fc46ef5b80da38c92e77176

AgentTesla

c0a0b1739cea0a7e3eef1f59c9e9c437891786345306fb841c4980a1d57002f6

AgentTesla

d5e06bd5b182c263e985c253a6074e4b538a96c1299f6e2f528d90bfcf15c5e8

AgentTesla

e0bf0691f22474df863042a5635b47492ff19ea813a19e377a04ee01e5e6b87c

AgentTesla

+ 10'171 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fdf438f4554b9b5184dad63af814f9acd88617df374a2e618294523f1cb7e350

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r09 d33812833f386d2381def8fa00d934d137a362c7bf26cc11f9bb21b8d9a93350

AgentTesla

exe fdf438f4554b9b5184dad63af814f9acd88617df374a2e618294523f1cb7e350

(this sample)

Delivery method

Other

Dropped by

SHA256 d33812833f386d2381def8fa00d934d137a362c7bf26cc11f9bb21b8d9a93350

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample