MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 8 Yara Comments 2

SHA256 hash: 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2
SHA3-384 hash: 0d091798ff2636ee0144a00d566cdc144644c8800c033dcc249015ac90a77675f736d2703bf8eb396be66a9318ee9b74
SHA1 hash: c4e9744244cf3b8e407fd40d50849d5dabbeb795
MD5 hash: 641b595a4f0d6fc67f702417eab2727b
humanhash: burger-colorado-glucose-montana
File name:791a1240d70a20f2b1383dc1bf8d6f90.exe
Download: download sample
Signature AgentTesla
File size:298'496 bytes
First seen:2020-04-03 03:39:22 UTC
Last seen:2020-04-03 14:11:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:Ih957wHvik5T+1UF+9hkRUsrXs/A0SJnlM3qbbHouTV:IuHGh6RouTV
TLSH 2E54397D6B88BA02F73D1D3289D1266022F1D5834D12CB1F6EC95EED7F527C9284A386
Reporter @abuse_ch
Tags:AgentTesla exe GuLoader


Twitter
@abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1h7SUDWP01DvDJAltA8ckSj40Cezuv94i

Intelligence


Mail intelligence No data
# of uploads 2
# of downloads 34
Origin country FR FR
ClamAV Win.Malware.AgentTesla-7426372-1
Win.Malware.AgentTesla-7660762-0
CERT.PL MWDB Gathering data
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Autorun
First seen:2020-04-03 04:35:48 UTC
AV detection:30 of 47 (63.83%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
VirusTotal:No data

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
MD5 8984683ba4ce4cdabd1f2bd08a86fc4e
  
Dropped by
GuLoader
  
Dropped by
SHA256 ee6f2cfd633a728a5dbf74bc04b7c9b88adeda052041927ccf262363d3748f70

Comments



Avatar
abuse.ch commented on 2020-04-03 17:21:45 UTC

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: server.kto.org.tr
Sending IP: 185.135.222.3
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: vaccine release for Corona-virusCOVID-19_pdf.rar (contains "vaccine release for Corona-virus(COVID-19)_pdf.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1Trzyb2eW-3WLdj4BQQq_kissPU1THWy5

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587 (208.91.198.143)

Avatar
abuse.ch commented on 2020-04-03 11:18:47 UTC

COVID-19 themed malspam distributing AgentTesla:

HELO: mail2-ppa.jpcinet.co.uk
Sending IP: 212.113.198.219
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19) (contains "vaccine release for Corona-virus(COVID-19)_pdf.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587 (208.91.198.143)