MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a76e8e63c85e8208a612cabae9e348dedbbd5c15b2bd71969d65f83e2e70828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a76e8e63c85e8208a612cabae9e348dedbbd5c15b2bd71969d65f83e2e70828
SHA3-384 hash: e0fac2230cbb402e93307146652f45cec3d22cec43ca8a6bdbb6af2ce6c8f503dd8f7599dc658d80716761f78ab3ffa4
SHA1 hash: 39b8cc0cc8435561722370aff3b385902c6c2535
MD5 hash: bf177f8774b87b297f94db8f28b4bde2
humanhash: cat-uncle-yankee-fish
File name:Product Lists.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:451'072 bytes
First seen:2020-04-01 12:14:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RwzSa0vMo4Zj5dO8Tbw71iw2lbXJh8nF0X:yzX0vM3x5s8Ts5iw2FXrE
Threatray 10'523 similar samples on MalwareBazaar
TLSH ECA4B03161EF1156C772EFB30BD8BCBED6A9B273161BF53A258116C78221A02D9C1376
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: mx3.bangla.net
Sending IP: 203.188.252.14
Sender: U.S. Department of Health & Human Services <br4656@bangla.net>
Subject: URGENT NEED: U.S. Department of Health & Human Services/COVID-19 Face Mask/ Forehead thermometers
Attachment: Product Lists.zip (contains "Product Lists.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46074.23117.32657.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 02:12:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fj3orzr4qxucbctbfsv25hrurxw3xvoblmv5oglj2zpyhyxhbaua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00caad7519b91c64e727ab57e4bcac298adc5c165fe3593013cb9baddf38cc17
AgentTesla
05996c601bef47933f65141b1dbc039784dc710307c2e7964feea58f6923748c
AgentTesla
1531d535038cfcc34c5add5c59d8d91b4148ddc6e4c0d89ee0807ba4a63da3c2
AgentTesla
1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1
AgentTesla
2ed8cd44621cc06fa9a00f11b5217fe58839a8ec6bfee8d42f78f61263652da5
AgentTesla
9bf34a347324254e98e309990bcc487c6bb53f4cb3a44b401290d1cea114b1cc
AgentTesla
a93955691d6362b1ee938642800ed9397cdfd4152e1e2ea68c9cd0559f6aa575
AgentTesla
b1f60766fb1c9d311d8200f0d45898156f6ce60e9db644032731e9284bf1c552
AgentTesla
e1c5d948acc6e111d7ac16afb0d2474163fa478595caa8751afd266d71f0a9e8
AgentTesla
ee84542a7345a20be96449b190580d2f0ef359753358339d30f0b1dcd4bec7f7
AgentTesla
+ 10'513 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7f450e898b44156719e50f2d0753dc257099753f9d847762d00a75fcdc687173

AgentTesla

Executable exe 2a76e8e63c85e8208a612cabae9e348dedbbd5c15b2bd71969d65f83e2e70828

(this sample)

  
Dropped by
MD5 51517a417ed767183174c1855331d51c
  
Dropped by
SHA256 7f450e898b44156719e50f2d0753dc257099753f9d847762d00a75fcdc687173
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments