MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afa01ac749d07add64b68dbeb19d3723fe9a11f9fd5e55deb803949837e3e936. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afa01ac749d07add64b68dbeb19d3723fe9a11f9fd5e55deb803949837e3e936
SHA3-384 hash: 836685ad54affbdf3803d7eb37fea4c58d9c42fa92f3826c7678f45dcd9ec1717e59eb1f89c63d2611985f3e98537a47
SHA1 hash: b6275d5f541a095018e49ca1b423a584401a7e9e
MD5 hash: b965abb891dfb415ba6f897f16ba8c0c
humanhash: vermont-tango-one-romeo
File name:DHL A8002742088-Contact form.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:829'952 bytes
First seen:2020-05-01 11:52:35 UTC
Last seen:2020-05-01 13:03:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:/virHeU1i/w9Lf+ZUAobl7snp+zQqApr24OzmtPLaEs2kULU5mCG/S2Bm+as4zEw:0HVb9CoxqQzbG24rtPn1wb+95h+T
Threatray 10'602 similar samples on MalwareBazaar
TLSH 2A058FA922D9D22DEFF69F39C4D14504A1B0EC93E88A7B2171B6B35612BBF904133747
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: llsc093-a17.servidoresdns.net
Sending IP: 82.223.190.45
From: DHL Express <contabilidad@sumybric.es>
Subject: Reference: GOT / 731104 :: Arrival Notice
Attachment: DHL A8002742088-Contact form.pdf.z (contains "DHL A8002742088-Contact form.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.43642.24833.3089.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 02:18:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6qbvr2j2b5n2zfwrw7ldhjxep7juepz7vpflxvyaokjqn7d5e3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
239a40118ca9473eb4be7f1bcf0fbb00c93b7213926402d93074b2252bc72092
AgentTesla
2b5d96d018098da5990f2d6d721ab925efd4422c13cccf031775b6fddd5f801e
AgentTesla
7152b668f5c6b22a87102c106f3b60ba955f23b5e82e7f3fbde71d9a6afa2e4b
AgentTesla
749fb27e09e73a7f92ec5cc78f806b53d9b31a497be4aff6ff9c07761c947199
AgentTesla
774d17628f3f46071d54b99aea7b8d2ef84c9f44eecebe916d87da0c6325f8b4
AgentTesla
8c1d117e9f7e5ade2de844bffdf2aa17368c95342f0a9ee0746f10e5982dede6
AgentTesla
8c68ba8f79b3446aade75acc5361b681e7a07b972a26ff1659061c36f84a2444
AgentTesla
9afb1afff030f6cb575c9f66e9d21257e82fd4320751ea78dfe6711a2b047fa6
AgentTesla
9efa06e1e51881862d5c07970aac24aae3e6e6628dada0af5dadd665b7ed2d77
AgentTesla
f7f500ae10617ec8879e4af825113707ff1284872a5d9eca789b52e336f295f9
AgentTesla
+ 10'592 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z a5d4dbba2b7294f20a501bab02150d9cb0041783944f5a620d30a875deac94df

AgentTesla

Executable exe afa01ac749d07add64b68dbeb19d3723fe9a11f9fd5e55deb803949837e3e936

(this sample)

  
Dropped by
MD5 51e7df004a78ad5e9a1c1bde1c8d9c13
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a5d4dbba2b7294f20a501bab02150d9cb0041783944f5a620d30a875deac94df

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments