MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d968b488846d7810aebd887cf2e953b11f02eeaf83ddffa16ab237b534902d59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d968b488846d7810aebd887cf2e953b11f02eeaf83ddffa16ab237b534902d59
SHA3-384 hash: 782fdd50023c35762569b9988f9a8dcd7c5f58e9f404468a8bfc3099130285c798d5b58f1bb2bfdb3d644f9729ec7e9f
SHA1 hash: 1fbb6407d97ddc873fe424fdb6d627e13a37d4d8
MD5 hash: 69ed54c1be70cfc0b3f9ae50364544ca
humanhash: aspen-california-helium-mike
File name:Bank TT Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:600'064 bytes
First seen:2020-03-22 13:50:32 UTC
Last seen:2020-03-22 16:09:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Gtc6d76wjrp2JearNYtTbmdWo9KR3nMsi+aUL7r:GtewjsJCtXmdt9KRRr
Threatray 10'798 similar samples on MalwareBazaar
TLSH 9FD412C036C98875C2988F725AA282406775BD067E33F20F3CDDB29E097B7D48659B5B
Reporter JoulK
Tags:AgentTesla exe


Avatar
Jouliok
Exfil: sales@pipingzone[.]com

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.20257.14181.30940.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-11 14:37:00 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fuljceenv4bblv5rb6pf2ktwepqf3vpqpo77ilkwi33kneqfvmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e7d9a0423e2abe849c313d741de58cb172512f0b81ca56680a0c98bcc5a28e8
AgentTesla
21e0177636c75a7a5742a3cdd96cdae72ec26a2d48393eea276f4ec5a40405ed
AgentTesla
2a3b5f4a6e6d41c86a9d25ff46831b1bcf73db123bf659d59c8125c147afc895
AgentTesla
306f60a415f3935c8eb3e3d13fa6957f8ab8161e0818fc93850d54f0f69d0b3f
AgentTesla
81eeadcc2553fe9991022470311c8ad197615c465cd06a2992990ad63b14aebb
AgentTesla
8acbf14306b787f2e29dd9e13e57da8cea6609a3ba9aa86e126243e690a4bf63
AgentTesla
8ed339f943c618ed7d55ff92dcad7ee68dcc02753691838fdecb06db6a8e1202
AgentTesla
a7120c8022437adb5629ea851c83f9efd6e57d9f5598f735e66fc11381fd707d
AgentTesla
f8aebcc9afaa71ce6097fb2b9dc2f412c1c98b358fce687f98f3e379216c8fe7
AgentTesla
fdcfe91ecf3940c58623a8e641bbb8065ce851de470f17c98bba19b9d05b0832
AgentTesla
+ 10'788 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d968b488846d7810aebd887cf2e953b11f02eeaf83ddffa16ab237b534902d59

(this sample)

anyrun
any.run
https://app.any.run/tasks/a916058b-1ff3-4c26-9bb3-e32c52ce1b3e
  
Dropping
AgentTesla
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments