MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9562206911b00e6f2479459c556bb24609d7151196792c31b9bba547e9c161c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9562206911b00e6f2479459c556bb24609d7151196792c31b9bba547e9c161c
SHA3-384 hash: 3922daea25bee64daece590b2437ee3448401a9b8cb143bd28fd24b73bf418ad1984fbb61c5a1d024b330276341d6408
SHA1 hash: 6645ba34b99b1c1068c98a17dd345961206f0654
MD5 hash: 3855749aa61c5e99022ebf6286a9cc2b
humanhash: winter-lactose-west-massachusetts
File name:SecuriteInfo.com.Mal.Generic_S.13632.10651
Download: download sample
Signature AgentTesla
Create hunting rule
File size:405'504 bytes
First seen:2020-03-19 18:03:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:lZpyXFfuD4G+0SLABGBTRauhCUw4mT9SM:Hpkqp+02sUw5T9
Threatray 482 similar samples on MalwareBazaar
TLSH 5584EFC089BCA9CEFFFE0E7D29B6C015C4961A552E9BF35F700C98DA18991601876BCD
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.Generic_S.13632.10651.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-19 11:52:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
06c3086d2a9a4456f1e98b32ce177c455ed82caf13ae4bdc2e402d78f566160c
AgentTesla
275537d87441c354b859273e0729177d78f185bebdd9a86fac240a3f168a80a3
AgentTesla
3c05c5b0d65a0c7c5c415a6dc5adceeb651f986f40d4a5d2cf41331b8a8d52b7
AgentTesla
4853f32b8c9939f78afa1660524e6bb7d7c7359d8c2aed5f09cdaaa0c60a791d
AgentTesla
545e7d34943eb13bd1f648178d6a19fc0cab40faf00e15a8273e3617d2a1f1f2
AgentTesla
5d5972b96829869418e78f028416f873a9df1d81c7e0509ac63b81204e71ac9c
AgentTesla
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad
AgentTesla
74b407cd2ea449ad72f7990b376f2212c917da526e0eac7052a71514a12081b5
AgentTesla
b023a34548a0f58904fab9d0c977edd8eef12a8185661dcb51b9937df768aed1
AgentTesla
c7ead8266de17cda17f2c1cf6b146c616a092f2a4d2e59cf80e2815976c5932d
AgentTesla
+ 472 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9562206911b00e6f2479459c556bb24609d7151196792c31b9bba547e9c161c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e9562206911b00e6f2479459c556bb24609d7151196792c31b9bba547e9c161c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/326354/
  
URLhaus
https://urlhaus.abuse.ch/url/327088/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments