MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39436f7a65addc64e6d315ff21c45378e897fe5ec175b8d4e3879ba83a41ce6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39436f7a65addc64e6d315ff21c45378e897fe5ec175b8d4e3879ba83a41ce6b
SHA3-384 hash: 89134cb42d67db89c051a8ee951242f5b0cc6400c30d919258b33a46a8f7ff340a9d8a6f236896cf186d36b25b51c292
SHA1 hash: 451baf1ffa4731645bb480b431c1c397b2316c58
MD5 hash: 75ad5f79fe27075c9b8a2bfec0625300
humanhash: carbon-bakerloo-april-michigan
File name:Delivery Status for Shipment of Goods.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:699'392 bytes
First seen:2020-04-06 05:26:21 UTC
Last seen:2020-04-06 05:38:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0922943cd5e72743dc95ef474069cfd (8 x AgentTesla, 8 x NanoCore, 5 x NetWire)
ssdeep 12288:9FMsYdS3hpwKGoN9LXZz7Dm//oMAfn5Jiee11Gn36VERC8r1N4VI9asVMFSGai:9FMVdSnwtoN97Zz7DO/oMAfnSV11GnSZ
Threatray 10'943 similar samples on MalwareBazaar
TLSH 40E423D3D1534895E19791749BA0956208EEB81F8927E5014D48F0CFAB322E6C39FE8F
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.AgenslaNET.1.24552.8389.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 06:14:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfbw66tfvxogjzwtcx7sdrctpdujp7s6yf23rvhdq6n2qosbzzvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
086c1521c7a0fbd3682735839bb71e477a3b58925fb20822b92971fba0cf8e05
AgentTesla
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
AgentTesla
1a49d8fb2c1ed52fb605e7f4ed8759a7d0a27e20298f8440ace4a0b696ed39d8
AgentTesla
765d4e32e33979b9ee122877162ddb3741a2cc7df514b96b637e28651399be70
AgentTesla
c1e5a204723efe860b161729d087dd50111eba4ab2ad1bc8c2584a2ac888f6f8
AgentTesla
c566031f2311f0c6769a2bd7280e2b58760ef3df4090b37e542f2f911cbc4f49
AgentTesla
cadf00c7c6778328b6a33baca1814637721c5650961e80f579821c4c46b359d1
AgentTesla
dde1a479210f5225b0312ff6d155d870a094837a26338d594fb431134449aa16
AgentTesla
edced06a3011186bdf81b8e16739f41cb226ce9fdd57e9d8d006da27874aea65
AgentTesla
+ 10'933 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments