MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bed9018959954b065b562f8544a2cb32a39b4f6710694804164491844ed047ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	bed9018959954b065b562f8544a2cb32a39b4f6710694804164491844ed047ea
SHA3-384 hash:	985bdf7250b155fedb11adb8c56547c39e8e350fa7e1905d1a40973589b1c67fe6f5e61935362ad7ad472fc2447d6d89
SHA1 hash:	f9c197e075af9bc56c149cfcc1820062e856eff0
MD5 hash:	45a35133e9af4c52a64342487e96be81
humanhash:	jupiter-red-charlie-lactose
File name:	PIAZZALE NEW URGENT PURCHASE ORDER LIST pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	585'216 bytes
First seen:	2020-03-16 20:19:39 UTC
Last seen:	2020-03-18 06:24:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:exHe9pUsRxylJV/zD8I8bdn2Ol66VKc1:exHerQzVp8bB2Ol66z
Threatray	10'300 similar samples on MalwareBazaar
TLSH	39C48C42B156F2D9C85C927A0193C8D411F12F3A74719EAB29C1216B78FF3D8AE4EDE1
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Autoit-7356348-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Autorun

Status:

Malicious

First seen:

2020-03-16 19:14:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 30 (80.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x3mqdckzsvfqmw2wf6cujiwlgkrzwt3hcbuuqbawisiyitwqi7va._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

130d22d52d43b7bcc72740f05b270d9dcf9e9a178ab081dfbf5ffe30de0f4c54

AgentTesla

3ec3af4549c4eb614c0adbe80eea39646e7b0de97e6ff1fa52c43e0fb2249560

AgentTesla

5bc6e2a48a6e75aeee2a6ac4fc410adf13281c1d0a299b3ffe4ee0d036d235df

AgentTesla

834c9f7bd7ce054f4a5bef137584e93bfe8a018884cb5e9370ba0dae014de3db

AgentTesla

9c77b82a3c0940c736dc6b61591394ed69ae046b90992b427910d3ce28f77772

AgentTesla

9d605d0806d948584dedc30380c5e5f4ce5ee0c565a010a1ef8b2a2d083b5e70

AgentTesla

9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37

AgentTesla

9fed5314906b5873cd970313215aeb2714819bb965dc4bb7648154f1dddb6680

AgentTesla

c63cb2c82dfd94ac6a40c91d5ebdd5d00fe6f2ff0dd785af1f312eff9872861f

AgentTesla

+ 10'290 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bed9018959954b065b562f8544a2cb32a39b4f6710694804164491844ed047ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 8842a14e347758a470038aedee5403e96e431e2218f6cad7c477ed815dc11f38

AgentTesla

exe bed9018959954b065b562f8544a2cb32a39b4f6710694804164491844ed047ea

(this sample)

Delivery method

Other

Dropped by

SHA256 8842a14e347758a470038aedee5403e96e431e2218f6cad7c477ed815dc11f38

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample