MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9109a10e2bd041f96b560137b5a5f18c0f03fd399d5386793888b596871defe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9109a10e2bd041f96b560137b5a5f18c0f03fd399d5386793888b596871defe
SHA3-384 hash: 552b5ac0ea345883c5742dfefc41c4107935d827e50650ed49cdab69cf8845c1c9d00310fb218a4777f7a642a84e3f93
SHA1 hash: 9e06146e28d4629b369ded4f6dfb4af42e4fb16c
MD5 hash: 81f45ac71f9972f0a39dae1bef60250a
humanhash: island-early-south-virginia
File name:COVID-19 Customer Market Impact - April 21.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:557'056 bytes
First seen:2020-04-22 12:00:16 UTC
Last seen:2020-04-22 13:10:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:f4259a/eufyYX+P8rR8asjTBCntfWhW6gO:gia/Tt+PM23ohWT
Threatray 10'620 similar samples on MalwareBazaar
TLSH EFC4E268CD9E4437DAE88779F4518D0DAEE8EB733152AF7E989693C411792C3A0C052F
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: atomicka.com
Sending IP: 202.52.134.122
From: Nikki Burton <samundeswari.k@milekniran.com>
Subject: COVID-19 Customer Market Impact - April 22
Attachment: COVID-19 Customer Market Impact - April 22.rar (contains "COVID-19 Customer Market Impact - April 22.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject3.38980.7247.13363.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-22 12:35:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xeijuehcxucb7fvvmajxwws7ddapap6tthktqz4trcfvs2dr337a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
28a595f1fc9773d9ffbd199d95bb1c40bc7411c7cad62a3c86edeac2bf331c1d
AgentTesla
36ba490f722e073fc1a665953ed65982e464214e0464edcee1c4a80ec601c04a
AgentTesla
54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
836fecdac95ba8327cf6e573e45c5f21096099e7f751ac7c6705ee8f43b2c94f
AgentTesla
95062ef3493a751756d9e95af40feffbd8db26375e78ef61f894ac37534f3771
AgentTesla
b4e4955cd0abdc5df6d5e1db5d58f3b0f1de491540371e919941f6dc9741f23e
AgentTesla
df696f5fa3df8ce1eaca951cad491770b1d7aeb6e6326a360bcdb266f6d31620
AgentTesla
fa2ddd857a72e2eb5f1243e5c6af4d1cc3bc411b2c25e8ca79c9f8bbcb25f27f
AgentTesla
fe47fd2547bff54972eca86e1f284c75a42b4a695ec3a2a1050b76f84a5b5e75
AgentTesla
+ 10'610 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar bb61d0a11ae105f17fa29d07ee18df1eb61e4256eb5a30b13551c22a39d75319

AgentTesla

Executable exe b9109a10e2bd041f96b560137b5a5f18c0f03fd399d5386793888b596871defe

(this sample)

  
Dropped by
MD5 444c1839172ac5921fe8ac52091c634b
  
Dropped by
SHA256 bb61d0a11ae105f17fa29d07ee18df1eb61e4256eb5a30b13551c22a39d75319
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments