MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f427ee2e2b27288bfd45b0aa985b3fc19e4b81fac28b8e6112529632040b2ab9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f427ee2e2b27288bfd45b0aa985b3fc19e4b81fac28b8e6112529632040b2ab9
SHA3-384 hash: 6c813cb64a6788afc8f5833ed42d7ee3a2c015d44e8e6fbbf13763518e6e8a75ee5cc66e42651ac21b4affce6f26751b
SHA1 hash: 084a5ec33ba9f20423417e0b4abfbcb9c7dfda4f
MD5 hash: 5ef1b3fd0b42152c4de886aba68e6cc2
humanhash: romeo-november-arizona-leopard
File name:affbda1bfae228a66d3d500ce9d1a9db.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:300'032 bytes
First seen:2020-04-06 14:20:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:GqHlPV0nzuM/wU98P9SlABykb1FHhOF1TI++XJiby6OO:VHlt4uM/w869lFHY46OO
Threatray 10'585 similar samples on MalwareBazaar
TLSH 5D541AAD2B98B902F23D5D3785D1622492F1D0838D52C34F6FC84FF87E617DA294A3A5
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1zb4InQzKcD_-vSClXtinvfjGXlYXjZ7Z

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 14:35:31 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 30 (76.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qt64lrle4uix7kfwcvjqwz7ygpexap2ykfy4yiskkldebalfk4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
006449caaa797b90e1c58ff7a1a767a937e220b45f98cb9f55a0227a2a1d7f08
AgentTesla
094f6a9977aca85ca844fdab18035108dda8907b5c7b90416653a573e4e127b7
AgentTesla
0fabbaf7f8ad7af3888aa77b2e376db74390064ea8eea0c54fee59fdc2cd54c8
AgentTesla
2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
AgentTesla
813c6c4898937f9c8c4cb910ac7de167a8c61d4a748a879b4d319945bd057e4d
AgentTesla
826c58de5e811796f7b77ea72b19c0e5bb61d08b51c08ad4277820eea897a613
AgentTesla
b2a303978225eae9f42504387edb087b85311f789d125edb4ead7066e7047afd
AgentTesla
bbff8963c1d1069fcc4f65429d480df9963765f29865e9b35a6cb100f8005754
AgentTesla
bce1f7597dcac5d3744d485142c06a71b60eb246a4f5e97bc41848150a822215
AgentTesla
e469882fa707c3f2f85c8bdd5fe250434f3fa5169ee71f8132dce99296b99629
AgentTesla
+ 10'575 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fbea14335626b9634e88d69f86b65d94d3fdee5c0fe685ad3c85f582f295219d

AgentTesla

Executable exe f427ee2e2b27288bfd45b0aa985b3fc19e4b81fac28b8e6112529632040b2ab9

(this sample)

  
Dropped by
MD5 affbda1bfae228a66d3d500ce9d1a9db
  
Dropped by
MD5 c9ac0a487eaf7acbe8d68e1e5c03a059
  
Dropped by
GuLoader
  
Dropped by
SHA256 fbea14335626b9634e88d69f86b65d94d3fdee5c0fe685ad3c85f582f295219d
  
Dropped by
SHA256 f4aff2fc066bf5dea2119f732a51a01ae341971e4ba78632b859ffcbfa9944c5
  
URLhaus
https://urlhaus.abuse.ch/url/335819/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments