MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
SHA3-384 hash: 86f672840943d7da61da8e12fb2ffe29aca0b549305de3d1ee03aad52b6c42cb58e75e42d3abc3381a84cc9a5f785137
SHA1 hash: 043e9cf5e494828afe259e5eb3db9d83a410e247
MD5 hash: 72660ac4d028655990e4da27c5e46ae5
humanhash: alaska-three-nitrogen-crazy
File name:transactional payment advise.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:566'784 bytes
First seen:2020-04-01 05:27:47 UTC
Last seen:2020-04-01 17:38:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 52b98db37640377cdbda8f18230bfd2b (1 x AgentTesla, 1 x Loki)
ssdeep 12288:MjBTwll2dV1KrimA58p2MaUpH1OpZHuDIOnK39EWvYU:MjBk30uilSWYwODA9EjU
Threatray 10'957 similar samples on MalwareBazaar
TLSH A9C422D64F144E84E24D2933D11E9EA1C325BC036BACB7988FE2F78976391D1A9D6703
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Inject3.37110.985.19196.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 05:57:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cawnrjzaplupe74ej753khvrrkk3up3gi6vcwllqghotaah7ejoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
086c1521c7a0fbd3682735839bb71e477a3b58925fb20822b92971fba0cf8e05
AgentTesla
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
39436f7a65addc64e6d315ff21c45378e897fe5ec175b8d4e3879ba83a41ce6b
AgentTesla
765d4e32e33979b9ee122877162ddb3741a2cc7df514b96b637e28651399be70
AgentTesla
c566031f2311f0c6769a2bd7280e2b58760ef3df4090b37e542f2f911cbc4f49
AgentTesla
dde1a479210f5225b0312ff6d155d870a094837a26338d594fb431134449aa16
AgentTesla
e8a769ba38c1f1a8c2969c99a3d8b314655096456e9c9dba47170b3666fcdc88
AgentTesla
edced06a3011186bdf81b8e16739f41cb226ce9fdd57e9d8d006da27874aea65
AgentTesla
f3232a34ddf3d75e57216467b754d135204fddc84a1755d694aef2c4a3b599e5
AgentTesla
ffd1a82e1d23f8ec7cc030091831a3977a1a1247790f8bd3d436c551059e9375
AgentTesla
+ 10'947 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediawinmm.dll::mciSendCommandA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments