MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95178efcb1e75d4c32fb699431765c5b5a1618352ccd287e94e304a8f2555b66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95178efcb1e75d4c32fb699431765c5b5a1618352ccd287e94e304a8f2555b66
SHA3-384 hash: d3f9914208d7234a005f2d67e38fedd6d35e288c2209eff8573a7382870bf8818579583aeb5fb50cd56bd4d0de71e31d
SHA1 hash: aa6863306ecc1295bebe73b567dacf1f1cfc9838
MD5 hash: 8f88e8d771817483f286457920361bc4
humanhash: quiet-lactose-summer-failed
File name:Payment Advice Note From 0324098457769.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:535'040 bytes
First seen:2020-04-07 18:59:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8e2c3699cdcb2cc60f4f0484f104f80 (2 x AgentTesla, 1 x AZORult, 1 x FormBook)
ssdeep 6144:+03teM4+3za+N785i79l2y1t/wFZ4j+LOQWxpzsj7S5xItUAcoC:+09l3zaV5i790SeFZ4j+L9WTMqOCA3C
Threatray 11'008 similar samples on MalwareBazaar
TLSH 83B4E1217A80C473D157223088A2DEB51B767C31AF506B5B6BE5AB3F6D30382DA1539F
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: h2.domains.sb
Sending IP: 52.10.241.220
From: Shabeer M. T. <shabeermt@lamco.ae>
Subject: Payment Assistance Due To Covid-19 Pandemic
Attachment: Payment Advice Note From 0324098457769.iso (contains "Payment Advice Note From 0324098457769.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Agent-7652322-0
Create hunting rule

Win.Dropper.LokiBot-7665516-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 13:35:11 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
29 of 31 (93.55%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=suly57fr45ouymx3ngkdc5s4lnnbmgbvftgsq7uu4mckr4svlnta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
AgentTesla
188cd2049f2d511fbe6ede085f60214b76f73125a16165026d4e4d392f1a721a
AgentTesla
2548272de2d930f99b953bf466d49d5f850f4f9105ff420937edfa9ae70aff7d
AgentTesla
40e9b18a9ae56099292d10bd537b24db851b03b38a54028f5460b1433f4aa627
AgentTesla
47dc93d9f50e610072c38ed05d454b31b9a4d9c31f2abc75840dea36ec4ef374
AgentTesla
63fc3b0b471168010c1f4552579de07cbdcaf074aced788680a423404996288c
AgentTesla
6407a885f99633b2f5559e9f04b001a859367468dd7e761fb28d527995f3112d
AgentTesla
757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371
AgentTesla
91b711812867b39537a2cd81bb1ab10315ac321a1c68e316bf4fa84badbc09ba
AgentTesla
e939e5ac72af54c976d32967a56e22c82b4c46fc5693ebf04ccdbbd4ccdc3470
AgentTesla
+ 10'998 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 9a2b0d8144c882557176939c8651a96f7410e56eb99642b1f1928de340f1cc33

AgentTesla

Executable exe 95178efcb1e75d4c32fb699431765c5b5a1618352ccd287e94e304a8f2555b66

(this sample)

  
Dropped by
MD5 804f98581233b34f71942d9df0a7c7a7
  
Dropped by
SHA256 9a2b0d8144c882557176939c8651a96f7410e56eb99642b1f1928de340f1cc33
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW

Comments