MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1480e69cac4dec8dba239678446472b12f18cc5e963cc8b7c507a9ccaeaa75cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1480e69cac4dec8dba239678446472b12f18cc5e963cc8b7c507a9ccaeaa75cf
SHA3-384 hash: 6cb48410d6bf48d5b899e00c57c6d2db5474c28ef868379e2529349b32d957e9e686dce45184b3af89fe1a05013038c8
SHA1 hash: 32b6d7e6ccaf776dc46fed1919946d355172ff4c
MD5 hash: be45bf7f251ecc68fc1210b927aa7453
humanhash: jupiter-mountain-kentucky-bluebird
File name:COVID-19_040220.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:102'400 bytes
First seen:2020-04-02 15:33:32 UTC
Last seen:2020-04-02 16:50:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 72712f58e373ae35fd1ba25cd72b40e3 (1 x AgentTesla)
ssdeep 768:4FiB8tfWoVmG84fIOz+q4nS7DQZxmuUpLf6m6gGwDBIstrjM8LEk46yMb:h8YoMGVpDZbuVepfVY8LW6f
Threatray 629 similar samples on MalwareBazaar
TLSH 37A3C625BD50FE10D4188A708E7ADBFC4229BD30AE456B4BB6C03F7E3D31191BA91B56
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: ns392991.ip-176-31-110.eu
Sending IP: 176.31.110.7
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: COVID-19_040220.rar (contains "COVID-19_040220.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1CLCbjFy3aoGBl07CLV-M4GdEGw7Io-ns

AgentTesla SMTP exfil server:
mail.asesoriaurquijo.net:587 (31.193.225.102)

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Generic-7647091-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Minix
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 15:35:20 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=csaonhfmjxwi3ordsz4eizdswexrrtc6sy6mrn6fa6u4zlvkoxhq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9
AgentTesla
45f2c615dde960357bc53cf73082b5de83cf5c0cd93d7a9b339af308d1229f0f
AgentTesla
47e0a9592dbd0f2aaf56ec183cf5936a24848ed72de02dc30848d033a28d00b4
AgentTesla
57acb5d89c02230f16fa4223e779f5defcb924a9e42ac05c245f91561c1c7fe0
AgentTesla
60c2a6a0bc12f4b6fd4ecb473d5de3d9de561ee3125055dbbf2d8ff12bb83f60
AgentTesla
a16deb69d9cd6cf259639a9584dbe98c0bc73395559f9afef7d9dc2784bb803c
AgentTesla
bf1cf754ad5f5f3560047b8eeb784c72bf79a042dec4d50d033e32912a7b19b6
AgentTesla
c882cc422e4039600b31e53e369f05b29dc9dd38cab76facef8a42adc8d326b3
AgentTesla
e45490584a68e394f6714a78c96988adc241fd3acd783337bd66f26117535454
AgentTesla
fccdebaea1d99fdbb92837bc7a7628cc7719ab4b35c102ea9adfb2e40b28f131
AgentTesla
+ 619 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7b71014a5535da55491b73d2d1dbab76d822e4bf887cf1a743a4c37b35fe50c2

AgentTesla

Executable exe 1480e69cac4dec8dba239678446472b12f18cc5e963cc8b7c507a9ccaeaa75cf

(this sample)

AgentTesla

Executable exe e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23

  
URLhaus
https://urlhaus.abuse.ch/url/334044/
  
Dropped by
MD5 325611765682f0766811604485be2945
  
Dropped by
SHA256 7b71014a5535da55491b73d2d1dbab76d822e4bf887cf1a743a4c37b35fe50c2
  
Dropping
MD5 de469fdf2dea2262671309d613c8ac4c
  
Dropping
SHA256 e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23
  
Dropping
AgentTesla
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen

Comments