MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a259ca7c82583749b5dfb55ce19307af4f84e723291de30087d28ae72a410410. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a259ca7c82583749b5dfb55ce19307af4f84e723291de30087d28ae72a410410
SHA3-384 hash: 03cd740c6f736bb68b5ba6d7452d2caff2777e4f55c6872859a67ded62b9ab8554db82054bc1e780e5fad0512bbb13de
SHA1 hash: 7ec91a5037bfcf6426333dcde75b595804dd73ff
MD5 hash: 325fab894abda93d3890702a84ce5116
humanhash: utah-happy-table-five
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.47594.23062.31126
Download: download sample
Signature AgentTesla
Create hunting rule
File size:422'912 bytes
First seen:2020-04-20 17:31:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Yd/Ee1fOWmGLmolSdnP9em4DhK4nA07atpXxAkj:8z2kBsPgZDw4uphAk
Threatray 16 similar samples on MalwareBazaar
TLSH CF941253473E6AD7CFED02BF19B3C094D22C62785662B74BB81C61AE1A6522C1E734DC
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.47594.23062.31126.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-19 10:34:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujm4u7ecla3utno7wvoodeyhv5hyjzzdfeo6gaeh2kfooksbaqia._file
Verdict:
unknown
Similar samples:
27b2bcb2b0bf777208f330b3c6cc92fa40875b1cf6c6294919632d3bdd189d62
AgentTesla
329e8814efa351d1c58c275981a39cf0a9ef0f50d8eb8db9bbb8f70020d75204
AgentTesla
5438104f416bb8a85e3352871e0d05b137548134af616058ddb3f98bde0d1353
AgentTesla
82bb3e9ec03f5237ed521effee5b1825b59e31be522e71a05c129676e60839ee
AgentTesla
d1f4eb095a541ecfe4ae5692a8faba8fe32f04898b10384f77b0a0f0761d380e
AgentTesla
d5be1f1a86ae4c9edabeb1eae9c54035e88a4e5ac97b06caf566e0dc7f71b6f7
AgentTesla
e2f5c669326918553e696b231b23cfa1891cf6e3f875c10f547cb87a9de79195
AgentTesla
e350efd69893b28033dfa6ba293f402c04281453c766022a266ae6be6fbe31aa
AgentTesla
e392370cc393aa7f23fd365625779b48d09669e8699fa09239bad257f4c418aa
AgentTesla
eee7ddeefc84650c313aa4b4683286fffb29eec6f469ce31273529e2082b45b3
AgentTesla
+ 6 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a259ca7c82583749b5dfb55ce19307af4f84e723291de30087d28ae72a410410

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/346885/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments