MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd4df0af062e1b998ecd50c9262ba2f2de9fb9fd300a7fc2596ecd3f4f5f224d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd4df0af062e1b998ecd50c9262ba2f2de9fb9fd300a7fc2596ecd3f4f5f224d
SHA3-384 hash: 73a9eff60037da7ec2886a1e6bdd3191e7b8b315ebb471a9a832124f786a73f4e3b81fd5d8c70da2584199f7f262ec23
SHA1 hash: 97824f5644ac56c5669c364cfb2619be7abce234
MD5 hash: f67cfb9e4e99b89736eb6e44609209c8
humanhash: lake-may-mango-robert
File name:ERQO PO Contract and PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:864'202 bytes
First seen:2020-04-30 12:43:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef6a8a8a819568806ed8cfc5418a27c1 (2 x AgentTesla)
ssdeep 12288:zU8nj3y0iM7Sq8/q8Oq8+q8Lq8VBrj63E10kZV9+OnEBBd73TA3NQS:5piM7B8y8V8l8G8bd10krE9A3GS
Threatray 11'114 similar samples on MalwareBazaar
TLSH FC056D537E5C18A1C59810F157DABA0F24EA3C2F01FC67172B2AEFE9AD6604770B162D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: qproxy1-pub.mail.unifiedlayer.com
Sending IP: 173.254.64.10
From: ECEM GUREL-ERQO <ecem@erqo.com.tr>
Reply-To: ECEM GUREL-ERQO <mog_b@mail.ru>
Subject: URGENT PO Contract and PI Request
Attachment: ERQO PO Contract and PI.rar (contains "ERQO PO Contract and PI.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 0a2f4f887b6dc0a3de9b0ef914cf80afef2dd3bf3569565fe12e1a05e1640048

AgentTesla

Executable exe cd4df0af062e1b998ecd50c9262ba2f2de9fb9fd300a7fc2596ecd3f4f5f224d

(this sample)

  
Dropped by
MD5 f5359f603f108e26a1e27cfd4ece2667
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0a2f4f887b6dc0a3de9b0ef914cf80afef2dd3bf3569565fe12e1a05e1640048

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaSetSystemError
MSVBVM60.DLL::__vbaExitProc
MSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen
MSVBVM60.DLL::__vbaLateMemCallLd

Comments