MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d99bf6fbde49105ddb9326b1a8020e5b22f64afa1a81793e34dcac17b3fbac44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d99bf6fbde49105ddb9326b1a8020e5b22f64afa1a81793e34dcac17b3fbac44
SHA3-384 hash: 470d0c329c014d2bb7d84c3800d9fab62c5908a2bca6aea119388771319d6a8a3475823673ebddcc602e7d737baef748
SHA1 hash: 8cea9ac7f9cff3e03944fb93da02b9c35f092595
MD5 hash: 3a692820be1f0b8c5b32f1b804afa9a9
humanhash: muppet-cardinal-red-whiskey
File name:EFT7602019123014010054_18.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'350'656 bytes
First seen:2020-04-27 23:09:06 UTC
Last seen:2020-04-27 23:55:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:nJ0ITSArFRmEfvnD5xkYgRbPPMttFAaHwO8tuppM5IwB+:J1TSAplfvtx167P6ATtuo5IQ+
Threatray 72 similar samples on MalwareBazaar
TLSH F055B33639939448C93407B50068EEC1B37B7A853A56CF2EB19B531C9F0245F7B2A6ED
Reporter c_APT_ure
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.32919793.5482.1635.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-01-08 22:55:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gn7n666jeif3w4te2y2qaqolmrpmsx2dkaxspru3swbpm73vrca._file
Verdict:
unknown
Similar samples:
030ade527870e102090906fca264da749db0e0a8bb405e8aad7a58bf9cf68ba8
AgentTesla
288130ee9ccfffd3966a3ce4c7baf1a16ddf25a7a03d8e7d9cb549f3041ebfe7
AgentTesla
4c4dc83e26db2c5aa6d945fcc8bc43ebd73ba9c1b4962e17c76b832d1b0eaf39
AgentTesla
5440e3ba334553d5264329b32eaab06d2bd91e4dc69b83968723d2abcc1bb3de
AgentTesla
896152b5c1395d1a5cc2b9e57583cbba5d8ce128419d86dcdc7bd23f54bb19d4
AgentTesla
949166859d018a523b3466d403c504a868e9ebfa5526c4b4443e3ccca972be75
AgentTesla
b05eb1ace6dd219a6e5ea23d25ea88bbd672ad379ac4dcaa935acbfdece37c0b
AgentTesla
d51840953f6ba82b4285527d838e0034d9ffa1dc1de94b73ed56e5e0b33e5eb5
AgentTesla
d9f80479fda248077ba59be9cc0be526e64aeb6f3504b63979b7f4f16b191d57
AgentTesla
ed6b60c3660d11160722799525a5a16699f8b0332445e27165abaf92e1f1eb80
AgentTesla
+ 62 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments