MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8bf34d96ec1821d738a6607f98c114d74e93a55d4d4b21e5fc22354177190b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8bf34d96ec1821d738a6607f98c114d74e93a55d4d4b21e5fc22354177190b2
SHA3-384 hash: ac62e15d4a6ea8b198428b863caacc12f442fad6111b1d2274e4e841d290433e6b23126aafb00ce1e5a15616aab82c41
SHA1 hash: 07613c9db414c8f7cfae8d6aa46ffedb23579926
MD5 hash: 530eefedb851f7338a1dfe7a9e9bce58
humanhash: nevada-pluto-hot-pennsylvania
File name:INVOICE COPY.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:495'616 bytes
First seen:2020-04-29 07:06:19 UTC
Last seen:2020-04-30 15:29:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0HywgjUdMgnQm4z2idSHKuYEP0zKt5ag8rZ8u:KywyUd5nQPmhYEPima
Threatray 10'594 similar samples on MalwareBazaar
TLSH EFB4D09C7650B5EFC827CC7699A45C60EA11B47B830BE343944726ADD94EACBCF142E3
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.26831.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-7758947-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 07:15:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7c7tjwloygbb244kmyd7tdarjv2ososv2tklehs7yirvif3rscza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
204f690898978f91c9c1fe23dcbd519bed1c67c7621258f0aeae2b2f58fbe615
AgentTesla
3168af462696c8edf2bb2ab1537782ca60135573d977c6d3264ca2069871d9b5
AgentTesla
37f3611503d3e8828f5acc568dc065e4fadc60558d1812d3473140d21146c0b4
AgentTesla
3e4c4376c736f74bf5ad2b4854f8e28816e1519c86881e3dc7086506cc7950c2
AgentTesla
4a2c1f3c1df5c34f1c99c8f7cc8b18fae2c71189e6e383face3ff7fa31224f52
AgentTesla
8941d1279e3899cd7342a1f7f1b6da470544a2685e1cdd320be9fc194bea36a9
AgentTesla
b25f3db74d63d42e8cf1c5224ec5b1097036e4ee3339c961d0bf681506dad883
AgentTesla
bc1009772fd685f88c177412db4a333a78723286e656e1f6c0601569dbc3e6a1
AgentTesla
dff01b9f8946ed3792fe4e32ae3f95834c892f16ca219dc99d78fd15064f82a2
AgentTesla
f35fa2a6281a2a24016729d315083a638edf176a890a605dba2ac134e1733bb3
AgentTesla
+ 10'584 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments