MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db5f388785aeec055189f9c7ee6ce371f399c1a67fe41a653308fcd47d86f90e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	db5f388785aeec055189f9c7ee6ce371f399c1a67fe41a653308fcd47d86f90e
SHA3-384 hash:	fac76ce08bc98c93fdda342932870e3d0a9f92bf0adde6b721809b6a1c578a796c4cd319b6722d215e0b28ec59e1eecc
SHA1 hash:	3c5e26a348340d88a029b1a19d89d570ef16c3f0
MD5 hash:	06b55a93153eec12d07a1a11dc4b2872
humanhash:	wolfram-winner-utah-carbon
File name:	ivoice_output31CD980.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	823'296 bytes
First seen:	2020-04-30 07:31:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a38639b97501c90c8ab0be0a1f11a476 (1 x AgentTesla)
ssdeep	24576:t7r2yiMXj/fpcf2v55IwZU4b5CUMHb9D+kLz1Y/HtvQ5USKD:7iyhcf2v3CUMHb
Threatray	640 similar samples on MalwareBazaar
TLSH	46050215EF324E65C7C6927CBB4002B484C97533D010A9B7E76D0ABD1BD49E8B5E23B9
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2019-08-06 12:30:20 UTC

AV detection:

19 of 30 (63.33%)

Threat level:

2/5

Verdict:

malicious

AgentTesla

135f30b64eb7d5c4c68f36be07133b9f7134e8f3cef3d91569dd20b38b4d5d79

AgentTesla

25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

AgentTesla

33e6e7a8f9bd94fa61311b96d6d87c77acae7ab7c42ef47e03be3a14ff7d492c

AgentTesla

6df8ea96addb668a51442b4b3287c1294f0e834333c068f3853cb95016dceaeb

AgentTesla

70bdde448d83d5fabecafc0b3706fe1b732b64ee09d6d34886415688acf459d3

AgentTesla

77985fca7ae6b60c8025ba326e3bd1d9949c3fb32b9ca0f99f040be633823a7c

AgentTesla

da9862ee8464b05323624e0c7bda7d8bad57f7f2239fd4c2355d5f2b2aafbe68

AgentTesla

e0af0be6801a112bc8cf51fc9d1bbef16a56c4d1d9d6c68f15557a21a3e54351

AgentTesla

e3b3563743b88b8e8d0e23f6c357124c49678a633245510b724070bb6b1b342c

AgentTesla

+ 630 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaSetSystemError MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaLateMemCallLd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample