MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37
SHA3-384 hash: e5c9c919f1d5a0ce2a663d72c2b668b4ed5f25250f38736c8076271f2b2a35d93abbc0125103d6846503121bbfae5739
SHA1 hash: 6ba5298ae64dccbd30a17c915428038ab67f1988
MD5 hash: 11f20e9364ef5099187b3445629888d3
humanhash: sink-hamper-nine-massachusetts
File name:412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37
Download: download sample
Signature AgentTesla
Create hunting rule
File size:458'752 bytes
First seen:2020-03-23 16:57:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 175c60f7cf220ca3836844b5a674ff5c (1 x AgentTesla)
ssdeep 3072:zt17ybOENdXAMKz+3LxbGp9uRFCv1VvQia23Q80nOgNo:2bOEnXATzoNTrCvnQ+QZOgm
Threatray 76 similar samples on MalwareBazaar
TLSH 5BA4DF19FAA53F79E46B3DF11170ABDE121D72272B328AFD4C819654C1235E77FA0282
Reporter Marco_Ramilli
Tags:AgentTesla Emotet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Emotet
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Emotet in memory
Reference:internal research
Rule name:win_emotet_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 412d5f1887c34fe7ee92a3fa9328c6003edfd345ad9020f1aed42a4a81341e37

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/78721/
  
URLhaus
https://urlhaus.abuse.ch/url/78719/
  
URLhaus
https://urlhaus.abuse.ch/url/78718/
  
URLhaus
https://urlhaus.abuse.ch/url/78717/
  
URLhaus
https://urlhaus.abuse.ch/url/78716/
  
URLhaus
https://urlhaus.abuse.ch/url/78714/
  
URLhaus
https://urlhaus.abuse.ch/url/78713/
  
URLhaus
https://urlhaus.abuse.ch/url/78712/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcAsyncAbortCall
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetSystemRegistryQuota
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CryptEncryptMessage
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegSaveKeyA
WIN_SCARD_APISupports Windows Smart CardWinSCard.dll::SCardGetStatusChangeW

Comments