MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47e1f71185f193d015191dec0fd981e6591780a336115fe14638b74031531ac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47e1f71185f193d015191dec0fd981e6591780a336115fe14638b74031531ac8
SHA3-384 hash: 5df101f1aeb92d7a7702743291aa6b1b3e221ec5da9f849f2482ead90d6639ccc0a908c0b165866b6d9d661588ef0d40
SHA1 hash: 53c7dbf62446b5baa55ef7fa6e09228205e0fa2b
MD5 hash: 40b4721c9265962f8e7c6df40d73c691
humanhash: lemon-four-white-echo
File name:s5kjzbJWCq5H65f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:423'936 bytes
First seen:2020-04-30 06:53:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cSHFcnZtO+em9CX0gczjgFB5Wf+ROsHKDU:xlYZt7emUX0hzUFB5JHKo
Threatray 592 similar samples on MalwareBazaar
TLSH DA9412F58B0CAA3FD46F09354692EC197299D03B9091F7B64E6651BE44AFFE228107C3
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.ticariyiz.biz
Sending IP: 163.172.115.13
From: <semir@semirsalman.com>
Subject: ATTACHED UNICEF GUIDELINES ON COVIC19
Attachment: Update On Corona Virus.rar (contains "s5kjzbJWCq5H65f.exe")

AgentTesla SMTP exfil server:
mail.ab-care.eu:587 (69.175.61.114)

AgentTesla SMTP exfil email address:
dantemrhenry067@gmail.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 49b32c52ee37afe1aab5fb9a0c422b19543eed09798081e29bec6babed26cf81

AgentTesla

Executable exe 47e1f71185f193d015191dec0fd981e6591780a336115fe14638b74031531ac8

(this sample)

  
Dropped by
MD5 72277e23d30f5b141f7b279fe5d36489
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 49b32c52ee37afe1aab5fb9a0c422b19543eed09798081e29bec6babed26cf81

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments