MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf438c55827cdc66854335ddd88907d8cfc389a4ddf02f8bfda152e5b1766a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaf438c55827cdc66854335ddd88907d8cfc389a4ddf02f8bfda152e5b1766a5
SHA3-384 hash: 8e6933d85ba6377302e13277ab90d46448de07ead4cac3cb11413a169d5f2b9734bfecc7acba060cc6e53561261ae89c
SHA1 hash: a6c0970d198913637091a795e3f6b3bf26388cc0
MD5 hash: f46f819d4797d5287360aefc87ec5720
humanhash: nebraska-vegan-robert-speaker
File name:SecuriteInfo.com.Trojan.Siggen9.34167.6432.14584
Download: download sample
Signature AgentTesla
Create hunting rule
File size:453'120 bytes
First seen:2020-04-06 20:45:25 UTC
Last seen:2020-04-06 21:33:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:t1WpPI0k5lnSpOWGQsYA49/tE6InbPOFyCaK3aID6xHWXN5MusrcNjUU2hyX9Byu:t1pbnhZg/tTITOFf3I292rcNh4wD
Threatray 10'639 similar samples on MalwareBazaar
TLSH AFA4D08073BA5B6AD97D83F61525324013B2612FB92EE3244CC6A1EF1575F014AA7F2F
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.34167.6432.14584.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 18:17:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5l2drrkye7g4m2cugno53ceqpwgpyoe2jxpqf6f73iks4wyxm2sq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06920e2879d54a91e805845643e6f8439af5520a3295410986146156ba5fdf3c
AgentTesla
102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
AgentTesla
51c880ac2d8f67890282f3a3950fbcee91fde67e2d6c7e1cf3cf1d4f497bd73c
AgentTesla
7370ee1e9d1f0e92dab8c0815a9a0c08ddf06dd21fe7dc0743ceb4116ff0bfab
AgentTesla
74e87df85fd5611d35336b83dc132150327378cc06101ec3f40b84a9c8482d47
AgentTesla
95d835e5420469346f203795885997bacea62706a1d68fdedac0be0f25330a05
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
a2846e83e92b197f8661853f93bb48ccda9bf016c853f9c2eb7017b9f593a7f8
AgentTesla
b2039b0fadc93d87682989cd23067c9b049f2520c49722006e2340e3236a9918
AgentTesla
ea2b4579502edcbf620e89086f0d701f1533ca67f5dcaec50a57fb4e8b8e46f5
AgentTesla
+ 10'629 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe eaf438c55827cdc66854335ddd88907d8cfc389a4ddf02f8bfda152e5b1766a5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/335864/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments