MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 3
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23
SHA3-384 hash: caf924ae576307a244c15690d7cb39f695fef044ddc38b69b46c48bc57c33d35766af1801deac1760e2cf25908af0a9a
SHA1 hash: a9b9437f2a3408d7d7b7e2eb3cf3740f7806cecf
MD5 hash: de469fdf2dea2262671309d613c8ac4c
humanhash: table-october-video-pizza
File name:be45bf7f251ecc68fc1210b927aa7453.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:297'472 bytes
First seen:2020-04-02 13:35:19 UTC
Last seen:2020-04-06 13:05:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:fgYLudz42rixRoFLXp+0qCka4P/tWm0QYTA+bKcoGT7:ohB4lQrItWm0BdoGT7
Threatray 10'505 similar samples on MalwareBazaar
TLSH F754397D2B88B902F73D493289D5266026F1D4934E22CB0F6EC55BED7E527CA2C4A385
Reporter abuse_ch
Tags:AgentTesla exe GuLoader


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
https://drive.google.com/uc?export=download&id=1CLCbjFy3aoGBl07CLV-M4GdEGw7Io-ns

Intelligence

File Origin
# of uploads :
3
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7426372-1
Create hunting rule

Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 14:35:26 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5f5tlrbttycbevy2irns7yqogd7jcwc4vvifqifvnieyuzxfjqrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
373bbf9fe0aa747106f165d07c474e8e73c891e0150c87c90d8f389a3621c044
AgentTesla
3f8c79cccd4a2659ca0b872cf3d9423e7bde43408573f5c221c29f822c3b53f0
AgentTesla
4917103eef77ce8fd5beb88efd446180445e0ee6ac933f5e42443d3673d62bc8
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
6dc407eb41b8a813558364ae42dcdcce2019209615cc73141b9b6b91de15fd29
AgentTesla
abce854dbb1be834088423c8a911d7111cd6d205b9f6b44be000652860fa03c6
AgentTesla
dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e
AgentTesla
ddd78da962ab1cd6366af9c647daaa7f234e8125c62b10cab1eeb715f4c0e514
AgentTesla
+ 10'495 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7b71014a5535da55491b73d2d1dbab76d822e4bf887cf1a743a4c37b35fe50c2

AgentTesla

Executable exe 1480e69cac4dec8dba239678446472b12f18cc5e963cc8b7c507a9ccaeaa75cf

AgentTesla

Executable exe e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23

(this sample)

  
Dropped by
MD5 be45bf7f251ecc68fc1210b927aa7453
  
Dropped by
MD5 9476fb8b61f96d60d0921f6bd2b826f7
  
Dropped by
GuLoader
  
Dropped by
SHA256 1480e69cac4dec8dba239678446472b12f18cc5e963cc8b7c507a9ccaeaa75cf
  
Dropped by
SHA256 afdb3acddc897f0f5e73d5c722eab77cbb2a2e06ba83299992dd3cadb62d6c61
  
URLhaus
https://urlhaus.abuse.ch/url/334044/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments


Avatar
commented on 2020-04-02 15:33:52 UTC

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: ns392991.ip-176-31-110.eu
Sending IP: 176.31.110.7
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: COVID-19_040220.rar (contains "COVID-19_040220.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1CLCbjFy3aoGBl07CLV-M4GdEGw7Io-ns

AgentTesla SMTP exfil server:
mail.asesoriaurquijo.net:587 (31.193.225.102)

Avatar
commented on 2020-04-02 15:33:52 UTC

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: ns392991.ip-176-31-110.eu
Sending IP: 176.31.110.7
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: COVID-19_040220.rar (contains "COVID-19_040220.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1CLCbjFy3aoGBl07CLV-M4GdEGw7Io-ns

AgentTesla SMTP exfil server:
mail.asesoriaurquijo.net:587 (31.193.225.102)

Avatar
commented on 2020-04-02 15:33:52 UTC

COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: ns392991.ip-176-31-110.eu
Sending IP: 176.31.110.7
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: COVID-19_040220.rar (contains "COVID-19_040220.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1CLCbjFy3aoGBl07CLV-M4GdEGw7Io-ns

AgentTesla SMTP exfil server:
mail.asesoriaurquijo.net:587 (31.193.225.102)