MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89a919f3a26f82f9833fe98b28bf824e788d534d35073c491e0cb7efe05a36dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	89a919f3a26f82f9833fe98b28bf824e788d534d35073c491e0cb7efe05a36dc
SHA3-384 hash:	6829543cbe5d0c650d72143b5931da063c99c61aef83d2eddbd60ec6deebbf28ae74370195577b4fa308bcb3b8d0f639
SHA1 hash:	e470c217f186e6e5beec11fa2e531b5da3d0059d
MD5 hash:	bf52bb0552d33fdccd6a419acc61a4ea
humanhash:	london-maryland-paris-bravo
File name:	89a919f3a26f82f9833fe98b28bf824e788d534d35073c491e0cb7efe05a36dc
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	822'784 bytes
First seen:	2020-03-27 02:48:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1c81fee9fb3207b706e6b384fc5ebc04 (2 x AgentTesla, 1 x Loki)
ssdeep	12288:mL4l2hOMJJmeLc/UUYVKn+mxeJSEY9+bwvVQkH6qchsgBthg:mMshzmDpndAJMSwikaRnhg
Threatray	11'001 similar samples on MalwareBazaar
TLSH	6805AE22AEDC4833D2B32A3D9C1B53A4A83AFE713D2865453BF41D48DF397907925297
Reporter	Marco_Ramilli
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Llac

Status:

Malicious

First seen:

2020-03-26 10:45:46 UTC

File Type:

PE (Exe)

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rgurt45cn6bptaz75gfsrp4cjz4i2u2ngudtysi6bs367yc2g3oa._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

1b470ef1508cec54016be60350b81183eaed807168040ae5a9285d7e9bff5f5b

AgentTesla

1fe6c343ee5a8136650b1c1b9c47e497e302acf64a7655c9d753822bc91046bb

AgentTesla

342cb45a17253c6e1a88c20c3705beabc62c44844285d499f4be6eabf9720034

AgentTesla

47eb4409fb5abc4ddcdf8efff5bdf200ee57ebab347601d08c1853c41d88ebcc

AgentTesla

8a5f9b060b9ea5ff21a5b1654836935d779ea8868d8f6d49bff50074ddfcf8dd

AgentTesla

95708fbe180a43fbef0014d207456fd8812cb202d77e1078c466ca474e38c7a8

AgentTesla

b36dc13aeea5e74853a0bccb69f122d3476fafbf5639b8b80d21bab83ca0e781

AgentTesla

bf226819f73da9e080a83d692905eb049f0e75ea6682e2484607f23a4401ced1

AgentTesla

d91349a250737beb2a850a17934110dc7e474d395628252980ada6c3a6906d1d

AgentTesla

+ 10'991 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::EmptyClipboard user32.dll::FindWindowA user32.dll::OpenClipboard user32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample