MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17bbea6ca05282ea03942ee0ace1d10acaa2fe617623e552e650079bf6586d11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17bbea6ca05282ea03942ee0ace1d10acaa2fe617623e552e650079bf6586d11
SHA3-384 hash: af61d6090224e89b247beafe7e9c4b80e9bec14bdf4c60a7dfbac03ad7ec1969e850eea4c99654a1c9d20279633ba1ea
SHA1 hash: 5db2a29bfbb914de10f0857df69554c89d848ad8
MD5 hash: 77bf9d18cb7430fb91f024a14b198a6c
humanhash: pizza-south-beryllium-wisconsin
File name:SolutionFighting_pdf
Download: download sample
Signature AgentTesla
Create hunting rule
File size:630'784 bytes
First seen:2020-03-27 14:02:56 UTC
Last seen:2020-03-27 15:58:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:J1GuWQCZlXTLw0jzuFrS6MQl+FE65/QtBeG12PEUxPtMSo4oUYVisu5qKO/Hscxf:Jgu+ZlX1uI6C5iBeGLUxjK/iqd+
Threatray 10'643 similar samples on MalwareBazaar
TLSH 97D4C03736C68A55C920A27240F9EFD0B367F6C73751863E669B53886E426CB3B0D349
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 malspam campaign distributing AgentTesla:

HELO: staging.maykenbel.com
Sending IP: 195.12.49.182
From: Johnny Meng <thanh@oriontex.com.cn>
Subject: SOLUTION FIGHTING COVID-19
Attachment: SolutionFighting_pdf.gz (contains Covid-19-UPDATE-9000986666.exe)

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.45719.28801.12290.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-26 00:27:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c656u3fakkboua4uf3qkzyorblfkf7tboyr6kuxgkadzx5synuiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
159bf6b29be05efdf2e536289ecbc6fe8a48368895c7331e03b94b2d497ad758
AgentTesla
296214059663fa3e1243f126c2cf5f689ae0cb91324a3624a97048466b92f875
AgentTesla
342cb45a17253c6e1a88c20c3705beabc62c44844285d499f4be6eabf9720034
AgentTesla
6987e9d66b3d7120047b8725caa87c262f1430a2b91a6d1ef717e6f4b6c3fd84
AgentTesla
8daf58146648177ecc0b8da2ee4068ef7886065792c7f6fa9eb03fc77c041e83
AgentTesla
9f7264f096d9aa3d9bc1215a0979566e9fdc64dd58089c7913af18e2709e3f60
AgentTesla
a93c824d20b6d30f7a6cdd41e83dc2ed1b1294c023d25184b2779cd0fd4f2a5a
AgentTesla
c2aece4c0138a4ce56c8baa129b99e8740277795ac3c69e03d3a86cb7e629582
AgentTesla
f20b3dc32d42f2f1a64414b5932cc0cb7baf99356445a770a80bf7bed7e144a8
AgentTesla
f6e9e7b2c851a45cf6cadddf0d3481033fc84e0d6f1bbf817f70cb2b837aeecc
AgentTesla
+ 10'633 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 1942758015f2ed95a6aa041f19cfbf2fa25aebdd4598b23beba2420d3aeebf88

AgentTesla

Executable exe 17bbea6ca05282ea03942ee0ace1d10acaa2fe617623e552e650079bf6586d11

(this sample)

  
Dropped by
MD5 01bff21d48af2ab21d2074c3b71120d8
  
Dropped by
SHA256 1942758015f2ed95a6aa041f19cfbf2fa25aebdd4598b23beba2420d3aeebf88
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments