MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dad541bfb58986d8e53cf1ebb05c9eced195bc4971283098f8459670545682f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dad541bfb58986d8e53cf1ebb05c9eced195bc4971283098f8459670545682f
SHA3-384 hash: 2048ee78e054e069bd04077d96602fafc833841bab0d56587cfc55b883dc8122afafcf240a08284539fc41693336c2d7
SHA1 hash: 3c4a849af40791970dc739312e7af09a49bed725
MD5 hash: 4f1c2d011f21e34acd8fc4e3a2b16994
humanhash: river-nebraska-indigo-delta
File name:e4e83f81c88beadc230258e11a85a8c8.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:299'008 bytes
First seen:2020-03-27 02:46:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:3mPXtZwnCZkIpRC/K/dUtS4U5jsYiVLIrBjFpUbS5oqTx:W1ZNHGC/N4fVL2oqTx
Threatray 10'410 similar samples on MalwareBazaar
TLSH 49542AAD2B48BA02F73D193289D1666026F1D4874D12CB4F6EC81FED7E527C92C4A396
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://robotrade.com.vn/wp-content/images/img/Ori4_encrypted_2651F90.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-03-27 03:35:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bwwvig73lcmg3dstz4plwboj5twrsw6es4jigcmpqrmwobkfnaxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25
AgentTesla
0f2ed94f7ce73623cc14daf630cd853c2618b09543688d15bf63e735564b1da8
AgentTesla
143940bf5affcf82143d14f73a884baa3eb9e7bdde11f992d9147b9b7997a7d9
AgentTesla
3a83183d7ddb15963616f33d030932f0f04b71c66cfbec7bd5d2296c2177f6e6
AgentTesla
729456c90c37fc9670fe0723070c8c427186fb55d5754f1dc40ad1e58257ccc6
AgentTesla
8f9706ae3291a23f41bcdc0b9248389d39480087c2394cc249d45f30619441c6
AgentTesla
9d7bcb3e5e8b056065387eef6d1a9267965ed0b013ef8fb8140b4127cd8f16e8
AgentTesla
a215c693d52db997e4a64d302f976d4bccac373250c5c29650fe199d86e6db62
AgentTesla
d49cc06b3345c9e1ef413d9ed3c3d24e0ca4ed591b9675a60d3682c137aa4506
AgentTesla
e2d6119bb484c9e5f5a7107b4687553416208badbb881df4328bec5146d08509
AgentTesla
+ 10'400 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9ced6f748e30f1cd7974d220a43b80691afd3821a93394067e2e0ff49da12a88

AgentTesla

Executable exe 0dad541bfb58986d8e53cf1ebb05c9eced195bc4971283098f8459670545682f

(this sample)

  
Dropped by
MD5 e4e83f81c88beadc230258e11a85a8c8
  
Dropped by
MD5 f22b970725240ac5db322a032ea8ee15
  
Dropped by
GuLoader
  
Dropped by
SHA256 9ced6f748e30f1cd7974d220a43b80691afd3821a93394067e2e0ff49da12a88
  
Dropped by
SHA256 309e6731228f07469a149d53646f3b2bca36b23935c760ccf9edb05094d4beab
  
URLhaus
https://urlhaus.abuse.ch/url/330826/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments