MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aeded46b92aeea959a9f7f8315dae9d9ddd3725cb6ff0a01df1820e11ebd2a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4aeded46b92aeea959a9f7f8315dae9d9ddd3725cb6ff0a01df1820e11ebd2a2
SHA3-384 hash: fd1cdc51eeb2bff23afef5c738128e653c91f10b77020130c5c06c9bbda7937925d2ae247334fa5c6cb66688f4222ed8
SHA1 hash: 49a0a9caba7ba2f282441366002e1ce7b50ac5a4
MD5 hash: 1a8b15486a30027042f83990d6c223a4
humanhash: table-nuts-oranges-vegan
File name:PO - 2020764.pdf.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:821'760 bytes
First seen:2020-04-30 12:24:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ab296a1923cfab6fd94a91929b833db (5 x AgentTesla, 1 x NanoCore)
ssdeep 12288:AjG53a6Rb06OwOpcjur8zA5/ogsmQNSebGz95F58M/zMp49d8d9DwQLdf6p:1BhR4pcSrNQwQY7h5cCY49dqwKO
Threatray 11'061 similar samples on MalwareBazaar
TLSH D505CF62F2D14C37D1732A789C5BB398A83ABE103A39A8462BF41D4C5F397D13635297
Reporter abuse_ch
Tags:AgentTesla bat


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: yooileng.co.kr
Sending IP: 212.32.245.155
From: jaelee@yooileng.co.kr
Subject: KN95 Orders
Attachment: PO - 2020764.pdf.gz (contains "PO - 2020764.pdf.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 19:25:00 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jlw62rvzflxkswnj674dcxnotwo52nzfznx7bia56gba4epl2kra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2a44717f99e2446d315027f4cd90bfca21e77fcba2811ec556b1193de98b7d38
AgentTesla
3e12b0587d24f1f28bfc04ac59f0479bd458d042e5ec0602276ca8044c5b77ce
AgentTesla
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
4faa4683bd7134b0823bd0f04f894136bab28fb33f6163f803d08b6dd80a36c2
AgentTesla
552a6dfb3ccf93b4ce557243d0aa56129c5d9bc031cf5f81cd20f1a701422a2b
AgentTesla
733b9a08b05ec70c7ac0d28dd9b9e832c85e668342fffe880e0e2ab5222de082
AgentTesla
775f508ce9aa128d16970e85f0b02f8f200c50dde94a1e345621069dd7042330
AgentTesla
7ff0b93f3ac5f3acfe8f9718a8c6d0828e65f39e08cee553312cd24d8aed6dd1
AgentTesla
9ee4015e77250f861a3c3868a074de25eddfa3e6a2dbd159be7d61ee65513aa0
AgentTesla
e386d4d99d65ec52f0a9d504a2e8fdfe92309a2a81e6dcfbf5037afc01a1e618
AgentTesla
+ 11'051 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 0e27b8cca5a715de583f8e9dad96bfa39635dbcd21d1683c161ae1246aef0f36

AgentTesla

Executable exe 4aeded46b92aeea959a9f7f8315dae9d9ddd3725cb6ff0a01df1820e11ebd2a2

(this sample)

  
Dropped by
MD5 429dafc689598af5316a658e3ed22f93
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0e27b8cca5a715de583f8e9dad96bfa39635dbcd21d1683c161ae1246aef0f36

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments