MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d21f21f8f1efd3fdc522bc088eb24233911b58a65a065e1534049e812625bc37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	d21f21f8f1efd3fdc522bc088eb24233911b58a65a065e1534049e812625bc37
SHA3-384 hash:	6a1ca434a68a6714d7f480d40c4a69d5b9360d0c396e5b425e929d9c40ea4ed2d6816049ec843468a38792d568c1f96c
SHA1 hash:	d0018b8c13db036697e9c55df156f655a79c9c6c
MD5 hash:	e58003aeec27d398aadb4e36cb8ad27b
humanhash:	ceiling-california-india-oregon
File name:	file.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	293'888 bytes
First seen:	2020-04-27 18:37:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:ghZsbcYUrXSOmcxi1uT/BSginiyUZb0OI:uOfNSHFszOI
Threatray	10'685 similar samples on MalwareBazaar
TLSH	465429B96B98BA02E23D1D3345D1222593F1D1938D12C34F6EC40FF97F627D9294A3A6
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.AgentTesla-7426372-1

Win.Malware.AgentTesla-7660762-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Autorun

Status:

Malicious

First seen:

2020-04-27 18:37:10 UTC

File Type:

PE (.Net Exe)

AV detection:

28 of 31 (90.32%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ipsd6hr57j73rjcxqei5mscgoirwwfglidf4fjuaspicjrfxq3q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1304ed05b8f1d183feec8852f16c1f0ba3198388f437a339af62bd2974d8ebdb

AgentTesla

36a03b97c28620a2da908370d7505c714e9863bf3c328152e1a4a69fc40a54e4

AgentTesla

4f4da7ed9a3d252b36eb7231d63b5e05eae88bec7edaa044fb5590e49d8db950

AgentTesla

4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3

AgentTesla

6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64

AgentTesla

8f004bc9aec06467c6d02274e540d990f49f936a089fe46c651fe80b38b5a4cd

AgentTesla

af3de18f3b36685688f53991f1c4bd26d2cf0a36f7aeccaa0a09088b9c2e9461

AgentTesla

b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2

AgentTesla

f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4

AgentTesla

+ 10'675 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample