MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b04bfbb138a8f6a1ed6b742795df12adbc1ab4875121c759e5c23f0f8c8d5a76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	b04bfbb138a8f6a1ed6b742795df12adbc1ab4875121c759e5c23f0f8c8d5a76
SHA3-384 hash:	f6e61b0f52c91fa407416ebbf00ffc9621e35ca49153028dad492dbf32a3c32f49b6342f7fee018ccedc97747c943339
SHA1 hash:	d9faa56b3f1b19cddc32147e05ee114fd5801315
MD5 hash:	31b32fa229416ba7a513c2d7d5a7e5f3
humanhash:	lamp-cardinal-lithium-edward
File name:	Refund Notification Ipays-Payment Confirmation -Flight TKT 28938293892938 Schedule 7838.2020 MST XXXVIS.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	499'953 bytes
First seen:	2020-04-27 23:13:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep	6144:JtZ0cQn0QIP2jbbY1+lnZEQMAhYzcx8HYt999rDcXEdyuXb76VQalcaThzfO9E:if0BQNUtc24H0ElXCPcaFy9E
Threatray	10'585 similar samples on MalwareBazaar
TLSH	AFB41213BF52E07BD03A4270097689A57FD2B8527748F41BA74B2A2529372CF830F696
Reporter	c_APT_ure
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Grp

Status:

Malicious

First seen:

2020-01-10 16:43:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

2/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2f4964e14972eafa98f1fc8ad81f8dc2eeb45a00ef420cf59db34faba1592ac4

AgentTesla

3e4c4376c736f74bf5ad2b4854f8e28816e1519c86881e3dc7086506cc7950c2

AgentTesla

52c0c1e0e57fe4509ac06d2bcc0910aaea64aa90c55adc434bbfab80fa5fc643

AgentTesla

5e570c2f5a2d7d214e8ecbe04ce55a88dac0ca339932ec54d3027804b2f37bf8

AgentTesla

82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c

AgentTesla

8eced967d43922d45cb0362997c8e727226e633b8995ae9cb0ccc147817b52e4

AgentTesla

a4f5e2cf0da87c59ef9a3ac7560db3a4976c74c3bd2883aae636ded48b972de3

AgentTesla

a744e64bd387c4f4ef681744a8fd7d8ab024e3f6650302f24163fe506e92cccf

AgentTesla

da95177191327894415885bd683840bbe593fefbe4ea00a4b054c264a3e5e88d

AgentTesla

+ 10'575 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::SetFileSecurityA
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileExA KERNEL32.dll::MoveFileA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample