MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4163583794b9438194fedb4ca287e30d0c540c8c615e43613ada022534606ac9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4163583794b9438194fedb4ca287e30d0c540c8c615e43613ada022534606ac9
SHA3-384 hash: f322edeacb5a3d3245ca81b61152f206fb9d1a3b1a0acbae5651d3698936b43858f8fbd10620f4b613156af835cf34ed
SHA1 hash: 7ba7efa0ae90e2c2e1b9f1a3a70946378bc42085
MD5 hash: f3463ee67f50a3dfde4a63a2fadcbd04
humanhash: ohio-early-sierra-december
File name:Addy_encrypted_AB836FF.bin
Download: download sample
Signature AgentTesla
Create hunting rule
File size:298'496 bytes
First seen:2020-03-30 11:42:05 UTC
Last seen:2020-04-07 01:24:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:41Xyp6Rn9jCJpwsdD/ZkUd9VgE66Bj9aAc2PXjb8CoGTV:2XyUZyDhdM6VoGTV
Threatray 10'428 similar samples on MalwareBazaar
TLSH 3C543A7C2B48FA02F73E593249E1666112F195834D12CB0F3EC55EED7E627C92D4A386
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: ns1.mt-admin.pw
Sending IP: 64.227.16.83
From: Admin<admin@hamptonsteel.co.uk>
Subject: Re: Important COVID-19 Working Procedures
Attachment: Covid19 guideline.rar (contains "Covid19 guideline.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1lMCSSp7lD50F8ujmhURcjsUMMmkzh7Tw

AgentTesla SMTP exfil server:
mail.sjosepneus.com:587 (188.93.231.97)

Intelligence

File Origin
# of uploads :
3
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-03-28 13:01:34 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifrvqn4uxfbydfh63ngkfb7dbugfidemmfpegyj23ibckndanleq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09b0e2a84a8e7165c5a3b23efcd53cde0a7090e1ebe09a86cca86c33f7c39290
AgentTesla
2836e2f050c5ed948fb0652dde8eca6e867cb25aaa835d8b58738ec251dded5b
AgentTesla
345480e9fe524d588e938ab619614968b7e25f3e835e6292c28dfebc9f8ac6f7
AgentTesla
3b579b5c48b467cb0e3a3b28773a63ce90b11a87f4baba15b98d0af36291a314
AgentTesla
8f8f28f5eee0d7e5a4bf151528beb476347dd84c94ef721675237f00e391c6f5
AgentTesla
ba3bac695a448759f82d4c5180cad7d308fdb8bc12a159456b75ead72aca9424
AgentTesla
d63ec5231d1d805fcf8272f20282fa1bd9b94cc01c309a5eaaf32c1e09f9df6c
AgentTesla
df4a4e6430488397eecf551b6f8558f71d5bc65fe78d70cde3d45e38e82d82f9
AgentTesla
df981c11b8789dcff16652bae782bd8f5112ccbe7377d3f5088be62e2469b214
AgentTesla
e200737a203c4aa2f0dd82a3fc5fef097eb0e64b81b231b29b3022741ade5976
AgentTesla
+ 10'418 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

GuLoader

rar 42935c265d012ac561ef7f47446425ae8a430afa20d4065538533d98ef5ece98

GuLoader

Executable exe c9fa8e9c44e5fb934569771f39093e4ba7b66dcb2204b51fea382f0065d6c240

AgentTesla

Executable exe 4163583794b9438194fedb4ca287e30d0c540c8c615e43613ada022534606ac9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/330811/
  
Dropped by
MD5 805a5fbe3c90167545b1bfd60a5db873
  
Dropped by
SHA256 c9fa8e9c44e5fb934569771f39093e4ba7b66dcb2204b51fea382f0065d6c240
  
Dropped by
GuLoader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments