MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdf384c1cbcfbcd1bbb814f9d80ddcc4d2b3c786fda29c3a48ef7cde8f08d78f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdf384c1cbcfbcd1bbb814f9d80ddcc4d2b3c786fda29c3a48ef7cde8f08d78f
SHA3-384 hash: 7a24055dd4aa95fab272ead3005f1732ec840b64293117fa3bf08db04e46ff5d48d64f5714d8104792ad3f784b171b0a
SHA1 hash: bc3b37f93607658cbde75d2522551ce73b56b208
MD5 hash: ffce1ea204423df458c3c8271693c9b5
humanhash: carpet-cat-tango-ten
File name:Order Inquiry Dry emtpy Container.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:467'968 bytes
First seen:2020-03-30 12:43:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:GRaTVxfAFy0EiTnq6T0yHXv0rjnL0uVJm5Ma8:V/oQFI3AL0w0Ma8
Threatray 10'482 similar samples on MalwareBazaar
TLSH 8EA4236FE7B4637FCECC44F8F950228513B594219985F2CE8FC16AA991773E281016AB
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.215132.54.32011.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 01:39:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xzyjqolz66ndo5yct45qdo4ytjlhr4g7wrjyosi556n5dyi26hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38784e09ac572a99811a368a4cc4ba28f949b2ada8f0ce426de03a0bf7c2ee99
AgentTesla
4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108
AgentTesla
65e49a29cdfa1f1f91d5a59354ce7920a03b4aaddc0e26a3b002985d57388ea8
AgentTesla
793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2
AgentTesla
89bd696df7073c78ebc27a60c79728b782ca27d1d82abc8b0d5aafea1d1d61d3
AgentTesla
96382f5a4c395562a3d763a7f61e09486af57987d43e5cd231063993bb6952ac
AgentTesla
978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
9d81a85ddc0cda68c4b9592df54155b4bf43f958cb17afa9a84c2f77bbbda0a7
AgentTesla
e06afa0c894ebda14b627718de1c45ac92bc1037a26592f4df7751c918bb1bc4
AgentTesla
+ 10'472 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments