MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea7a3ae571da4778b074b401b955e1a8d8a9470bc72a7e3e45880a8f7223e652. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea7a3ae571da4778b074b401b955e1a8d8a9470bc72a7e3e45880a8f7223e652
SHA3-384 hash: a2c5598bf8057310ea8e6a8d59df87819979e7f9bb4d0fb7fe73310f72c6ed84413150b5749e58e68c8ae1792c6a77a3
SHA1 hash: 8617570511d65a640cc05bd9f6d03e26bdae7459
MD5 hash: ddabaf30ccdf2c321a87af16143328c1
humanhash: tennessee-steak-mockingbird-pasta
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:473'088 bytes
First seen:2020-04-30 10:15:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:b6o/AMdWJ92w9cOwpLQljRmoO9TcgIrAnU1:bD1dW3cDpLmAcT
Threatray 11'707 similar samples on MalwareBazaar
TLSH 91A423D0AF03AFB7DA680A7874DD639A96304EC35015D38F98ED49C73B5978098638F9
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp47.hostingvirtuale.com
Sending IP: 80.211.73.47
From: R. Alexander <alexander.leuts@pentair.com>
Subject: R: Order and delivery
Attachment: Purchase Order.img (contains "Invoice.exe")

AgentTesla C2:
http://lonbc.uhie.tk/inc/c983d449e5271d.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 02:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5j5dvzlr3jdxrmduwqa3svpbvdmksryly4vh4psfrafi64rd4zja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
04803c612483d76474860d5942b69d5ee3a68987a258b76283d60b345c188c62
AgentTesla
39492ca7d000a28c93084709bacf6b19357e7d79a67b3223ae2c7477bc574aa2
AgentTesla
9d7bf4dc88db19c1e81c020478be9a2130cb3420790fa8ae027127f2cfde14e4
AgentTesla
bdbfc7d1632cd7d8279b0fee3770abe6f54198d62c3781cfcf098f892c598b21
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
e0e75410c585dcaeab1ac774bf62f0ccc55ec32e009fdf75a8f089438e5b65e7
AgentTesla
e4bdbc72938f14ea66de9620b653a03bcd0b4c6b3a3b6bd7335ef15872dfb7cd
AgentTesla
e836f76c716c021e89d19ee4e4456e04b04b1041fe04fdaa6ac7523d35ef3b60
AgentTesla
f5c0ac859b78587a20820b4d82fd040ce73e9d725abc55113b1adc6df0968d82
AgentTesla
f7874f0fbf38ca0f147b393300b4349e00a35f84bee132f856e2d08a60ee8e89
AgentTesla
+ 11'697 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img a2e29454d1c4280fc17033fc67116e5389be180c808b09a94c14f4a4bdb8c187

AgentTesla

Executable exe ea7a3ae571da4778b074b401b955e1a8d8a9470bc72a7e3e45880a8f7223e652

(this sample)

  
Dropped by
MD5 4ffc861d9cdeb3110d5700a398d7de14
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a2e29454d1c4280fc17033fc67116e5389be180c808b09a94c14f4a4bdb8c187

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments