MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 253204a7bca6f8b255f0e78f16040a720d461315e792b09e082908d88eb40fea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 253204a7bca6f8b255f0e78f16040a720d461315e792b09e082908d88eb40fea
SHA3-384 hash: ee76e082c0e3939f5a9fb42c88a0ced54d5b5989753f39dafe3fa44bf932c0f793b200dd4252354d0ddf9a4a9a485b1a
SHA1 hash: 2f6f194119c97d77094b28ba6e26d6be6e68ebf5
MD5 hash: 1e615fcb2c402ee3cdb87c47d8a2d861
humanhash: two-oregon-black-cup
File name:Doc-files_receipts.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:472'576 bytes
First seen:2020-04-30 07:49:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:6xDjYWga8NNl4o05NJbLGC6sfJt9d9qdaUMhBaE5n:Ebov0tbSCfhD2
Threatray 10'557 similar samples on MalwareBazaar
TLSH 23A4DF9D7690B1EFC827C93689641C64F610A4BB430FE757E44712ADA94EADACF042F3
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.ofismedya.com
Sending IP: 89.252.177.223
From: info@athenaparfum.com.tr
Subject: Fwd: DHL Shipment Successful ::Air Waybill no 12616*****
Attachment: Doc-files_receipts.arj (contains "Doc-files_receipts.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Nanocore-7758947-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 13:20:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=euzajj54u34levpq46hrmbakoigumeyv46jlbhqifeenrdvub7va._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07ceaea9dd455538281cd8afd3b0fe49b34be3bfd7e30718572f6464bead5569
AgentTesla
11cbefd8e1c96efcac9c45d4da8d3ceadfe82666c6513a5d09586bfe24139bed
AgentTesla
133a4e4836245a58ec3415472f0f2c31c40c2c1f013321d77af5d6e6d1c1dea7
AgentTesla
47ecae395889d51a3835daa21b154644f1af8f53e03d2118f71850775777b87b
AgentTesla
5623d57806cdca9774c3a13899e361f66948b648303e491bb79072faa715930c
AgentTesla
65f2622026a29f02d0785f3fa3d3ef2a26aff0681acceb61bc72e8ecca5ff07e
AgentTesla
66ace62e0ede33040b4cfcccff43456f23c9867db05baf7c8e232391b284bf49
AgentTesla
721d621d895199358641b0e95c31e543ce050ad4447f8f2255bb9f9c110e1c93
AgentTesla
7b2c3d840df187976a61997b49d7b8a409360528bc2f8edaae80c26bcc86e6bf
AgentTesla
913c3c055acbcc86b156ce14faaac21a4aeb2aa884c4968397b632d143fe318d
AgentTesla
+ 10'547 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj d2c9313b515c94be6ccc45c5d35414d3dc82a524c8353cdb89897c94999ccf93

AgentTesla

Executable exe 253204a7bca6f8b255f0e78f16040a720d461315e792b09e082908d88eb40fea

(this sample)

  
Dropped by
MD5 05e014a34a1d786128de4a05ea553479
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d2c9313b515c94be6ccc45c5d35414d3dc82a524c8353cdb89897c94999ccf93

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments