MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f7264f096d9aa3d9bc1215a0979566e9fdc64dd58089c7913af18e2709e3f60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f7264f096d9aa3d9bc1215a0979566e9fdc64dd58089c7913af18e2709e3f60
SHA3-384 hash: 149bdf3dcf4aca935ae685aa26e3774cb93399e27c77fd31ac058e086868f9575a84ad2effaaebb026284ffc89dc0f16
SHA1 hash: 791878949a83d212c565703e48a7f4503b583f27
MD5 hash: ce34fe5f4ec7bdf11c490889312716f4
humanhash: october-jersey-freddie-winter
File name:SecuriteInfo.com.BehavesLike.Win32.Fareit.ch.15320
Download: download sample
Signature AgentTesla
Create hunting rule
File size:837'120 bytes
First seen:2020-04-07 09:40:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fff3bd1817ca5b3a439e9ed0a1fe088b (3 x Loki, 2 x AgentTesla)
ssdeep 12288:GE1a0xLFIubbygeGkqCYWWG41Ffr5/qvkp7P0CDWjTJ+LkWhgFd0nTgf:GoZxuu/b6W/1Tt8Cq/J+LkWhadCT2
Threatray 11'192 similar samples on MalwareBazaar
TLSH 20059D16FE908432C17215388F5BF6B85B35BD11FA296B062AD83E4DBE352813D663D3
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Packer.BorlandDelphi-1
Create hunting rule

Win.Trojan.Bladabindi-7663170-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Bladabindi
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 06:32:50 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5zgj4ew3gvd3g6befnas6kwn2p5yzg5laejy6itv4moe4e6h5qa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0f2ed94f7ce73623cc14daf630cd853c2618b09543688d15bf63e735564b1da8
AgentTesla
2d7e2c50d9fde2f20a360d73ec3545f50cff138d0ddaf14ae3833034fd7f2f9f
AgentTesla
342cb45a17253c6e1a88c20c3705beabc62c44844285d499f4be6eabf9720034
AgentTesla
518f61b23eb64a58b3bc75b881de46dbbf852a3f77ae3677d5763caeb2ad913c
AgentTesla
6987e9d66b3d7120047b8725caa87c262f1430a2b91a6d1ef717e6f4b6c3fd84
AgentTesla
6e077f8a754b865c8322b86fd21be4c9f6e013e0deed9003671c624033795cf0
AgentTesla
a93c824d20b6d30f7a6cdd41e83dc2ed1b1294c023d25184b2779cd0fd4f2a5a
AgentTesla
c2aece4c0138a4ce56c8baa129b99e8740277795ac3c69e03d3a86cb7e629582
AgentTesla
d363c156cee675f7f4744162acb889dd330284ec40fb65d5bd57ad7c936681a8
AgentTesla
d7b59d350dd16d5c6a39706ba5dade34574798379ac54f0fa0cbea42158435ac
AgentTesla
+ 11'182 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 9f7264f096d9aa3d9bc1215a0979566e9fdc64dd58089c7913af18e2709e3f60

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/336028/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments