MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8bc30268551dbd155b8117bf3be1c869fc9945508801f658583e8f4ec46187c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	d8bc30268551dbd155b8117bf3be1c869fc9945508801f658583e8f4ec46187c
SHA3-384 hash:	04564686d4bff45683f8f0bb2423728bffe484fbee654e14db6583328cc05ab643946bf3ac22e03adcbfa3b876e185b3
SHA1 hash:	6ce03fcfeb283b6d74160edd8b0c264e9732fb3b
MD5 hash:	dffefb33999cf5eda7e411c20943db9f
humanhash:	paris-friend-ink-steak
File name:	PO 75410085_Pdf_______________.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	819'200 bytes
First seen:	2020-04-27 18:41:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0318ec2c3e20540fe0ccf697fa352b5b (4 x FormBook, 2 x Loki, 2 x AgentTesla)
ssdeep	12288:tMwW5CcA25doqMiR3jfdKWVGKiwqd+ecWzgEpQm5Z4bPbrHBO0mS:L8C2xVrdVMpn+ePkEpQpzrHBOzS
Threatray	11'106 similar samples on MalwareBazaar
TLSH	A005B026F2D15837F1732A789D5B53A4A83A7E103F2998462BF42D4C5F387903A3D297
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.LokiBot-7699946-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.GenKryptik.EIOO.20590.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-04-27 09:36:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3c6dajufkhn5cvnycf57hpq4q2p4tfcvbcab6zmfqpupj3cgdb6a._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

2474586827d8955e084438012fb1b977249fb8754137bd1ac0071dbaa6ba22aa

AgentTesla

2fcc3c49cbacd359f308ab59cbafdec24f95d4b638bf9c2fd5dd466379dac3aa

AgentTesla

33080a9c91a75fd27eba463264265ddaa6f12055b0fa062021d505f70f204814

AgentTesla

6407a885f99633b2f5559e9f04b001a859367468dd7e761fb28d527995f3112d

AgentTesla

709d7e293799297ae8c2661da4a8d6ba542a02a145462c703b84c6b1b0531cc7

AgentTesla

76aeceb07ade4e0dca6cf046b682ae5909f578b725da30d10a46c6fb58cc3f33

AgentTesla

a21c8651404d572a8074ffe3fbe15aadf04f2a85d57333dae44f253a7c0a5e03

AgentTesla

baaf2981e64ed0745b71f49dc599ece70213ac2f805d8d1a4f254f9bb3fcc5cc

AgentTesla

ea2b4579502edcbf620e89086f0d701f1533ca67f5dcaec50a57fb4e8b8e46f5

AgentTesla

+ 11'096 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA shell32.dll::ShellExecuteA shell32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample