MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b911f6d28268111bc7523cf78406151d901ac31a84b1a9ab4a26a0f15351ba44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	b911f6d28268111bc7523cf78406151d901ac31a84b1a9ab4a26a0f15351ba44
SHA3-384 hash:	97b9c3271185d6307ef3c1c1016d81d7632524fa4fd001bd68c46f328978195038fe9bb9f368dd4520d86ade6acfa870
SHA1 hash:	d229d1585cddacb468f2f2563726e8353680fc6b
MD5 hash:	d9355103817c6d653d9006a54bd64cc3
humanhash:	juliet-steak-indigo-september
File name:	Ziraat_Bankasi_Swift_Mesaji.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	356'352 bytes
First seen:	2020-04-30 07:28:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:3Qb4aDnWee0Or98QHXJwu/pUxw4hhgYTNQ5tG8HHtv/LDj9cGbngm5/oYgpNEND:sWX98SlpehhStzt7/KwpupQ
Threatray	10'602 similar samples on MalwareBazaar
TLSH	C57423BE9B45482DC5B5CA74B191F9359F3FE2088372250C28B9868F3C9E3655BC1F89
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2019-07-04 01:35:29 UTC

AV detection:

34 of 47 (72.34%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4d1fc12e362e8f90ad1407c54575e3c39f3fd8cacde48007ecf46baa9ba1473d

AgentTesla

70687746d16856251bcc2537aa7d443b5cba17959a553a26ea985ff38f45bca5

AgentTesla

7f88570972b45202587d9ef6f5d8e7c447519c8add58523f162a5fdce479648c

AgentTesla

a4acf9d1c576b9463cad3c69b280750a03530a12c3f020cdffdafffc2c2be808

AgentTesla

a8dba8af9b4c2e9d8d465b6cbab25a3cda793e12a44700b0991519957538cf80

AgentTesla

c0eb2f545d41334272272e0499b31a1725aaf3880f4e0a2469590dc47ce801c4

AgentTesla

cb603bbe0d0bc915182daaab2ad84d4cd6865a11e7198b07de12f97e3c219739

AgentTesla

cb8503881bc157b1c984dfb66a76d2ef039c723666098a917adca4d247ea03d8

AgentTesla

fa84525a3f72a0cbed41a990523a28aa5edf705016713ffd2da78c56e309dbe1

AgentTesla

+ 10'592 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample