MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b474256132ba8b34cac3fbdb508e4a51841a79ce53938ff58b935446556604b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b474256132ba8b34cac3fbdb508e4a51841a79ce53938ff58b935446556604b8
SHA3-384 hash: c9ba02f651c5391b89ed562216f2d9b136d8ca39e79bd1675c6bc41e3b574bc8e4743642a21276ef6c4c19cb46f1340b
SHA1 hash: aea259a1576d1893738f359c4ffdec69190e7641
MD5 hash: 1e961c95ad2b6b4571ba4dbe03c58d9c
humanhash: princess-vermont-moon-maryland
File name:po#AGROSUD PULSE STATS - December 2020 GULFOOD.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:778'240 bytes
First seen:2020-04-30 12:18:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:K/VywAjErRHi/M1U/gCG68mVozNldw1aiYag3ZI7nTuhUxL+wfhryli8sck/GPN5:K/LXU/U6LVohldw1awed4H4444C
Threatray 10'667 similar samples on MalwareBazaar
TLSH FAF46B583B9070EFD467ED719EA42E70EA16BC73630B96076453329D8A6E5C7EF010B2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.essae.com
Sending IP: 14.141.34.42
From: ramesh.t@essae.com
Subject: Pls offer price#
Attachment: poAGROSUD.rar (contains "po#AGROSUD PULSE STATS - December 2020 GULFOOD.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 12:37:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wr2ckyjsxkftjswd7pnvbdskkgcbu6ookojy75mlsnkemvlgas4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10b2155331d3b0c7934808e52084c3911f82ece51f39836e3ef0e8db39ee9904
AgentTesla
31de84180c22ca65bc34ba7c57f9a89072332de81061111c9cfe118252d52713
AgentTesla
3691ad7dac5edf3fdf42a9f5b1324fa2f00839a2ec4a83cc1accd845f3364932
AgentTesla
48cb0c4fdfb4205cb6453b225e6b0d52a0eaff3dec5d500d9b781e716fd4c394
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
75d96bd9b1835e445b9ea6151181cbbdfe64bf6686cf24d4b595591b951f5c62
AgentTesla
8e6095d902b34ffac0a4121a61d97e80470f79d15938b1cd84de31b1777d611e
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
ee7ad8e5b1668792ad637972d788af49d288c6a8789a1c9bbee5f6df9ec7df00
AgentTesla
+ 10'657 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 91b6153e2db06547fbbd295180fa1db347a05e360a2691d056ce55b58a02f3f6

AgentTesla

Executable exe b474256132ba8b34cac3fbdb508e4a51841a79ce53938ff58b935446556604b8

(this sample)

  
Dropped by
MD5 368f9b9aa561193363441f2ec7253646
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 91b6153e2db06547fbbd295180fa1db347a05e360a2691d056ce55b58a02f3f6

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments