MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4bf5ef530b557975cec92877a952d19d87ea2f4d9ca4cb4deb4b4151f71fed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	f4bf5ef530b557975cec92877a952d19d87ea2f4d9ca4cb4deb4b4151f71fed6
SHA3-384 hash:	12a7bd513b16b34acf2eb27f731f9e91377ef168e103f823a9c98f846c1c08d5c99a0a705a12d656e684064dbbe2b433
SHA1 hash:	91551691147db0515f90d64322b3484a4d846633
MD5 hash:	bc7b4ba2564168203cea7f956b718de2
humanhash:	orange-low-bulldog-mississippi
File name:	bbb.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	877'568 bytes
First seen:	2020-03-25 05:33:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	951cb92420cb61c21ff1b1f8aa67fe4f (4 x AgentTesla)
ssdeep	24576:lPZn8ItK9UHkfaoKKwR6nMxko336GLq6Ak:RQ9uR6MnTLqi
Threatray	10'997 similar samples on MalwareBazaar
TLSH	F315B022F6F04933D17E1A7C9C1B53A8983B7EF0293498472BE52D4C5F39681356A29F
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Delf-7640639-0

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-03-25 01:11:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 30 (93.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6s7v55jqwvlzoxhmskdxvfjndhmh5ixu3hfezng6ws2bkh3r73la._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

14dc3be5ce8ed2b8c0f9ec3a4e630c2dc9e613de58d8220e0b8d28fa51c6752e

AgentTesla

2f91e7f75a6bffa7262b7c049aceaa57d56fca07e2a79f628786dbcb2e4c9dd0

AgentTesla

3a83183d7ddb15963616f33d030932f0f04b71c66cfbec7bd5d2296c2177f6e6

AgentTesla

3d188a0945681b28e2c289de2c82ab3a5fd7f15a94b9354b62f0808406d51b56

AgentTesla

654218028f797e5c401cc31242000aaa138e3eb0f8a920b850dadc2b2bf8f807

AgentTesla

8ef454e63b8f837f990d0fc662e67b5a5f9c369a9fd01495419e13a053883536

AgentTesla

8f9706ae3291a23f41bcdc0b9248389d39480087c2394cc249d45f30619441c6

AgentTesla

cfa902295e508fe2013b7028ebffd7b66e54180388161911d75457ce605005e4

AgentTesla

d4738969a3670a665ba39598d50ab71a170b2f78c5f6e83f305d411c6db059a7

AgentTesla

+ 10'987 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/329477/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA kernel32.dll::GetTempPathA version.dll::GetFileVersionInfoSizeA version.dll::GetFileVersionInfoA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample