MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 041320839c8485e8dcbdf8ad7f2363f71a9609ce10a7212c52b6ada033c82bc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 041320839c8485e8dcbdf8ad7f2363f71a9609ce10a7212c52b6ada033c82bc5
SHA3-384 hash: 55d4c333cf65198ebb3f77bc6b0402e14d82e2928c640b88743547a0c1d656b80c0166cbc721a88b2ec3d6ac37ad98d8
SHA1 hash: 23a0b4655bc51fff966ba87d350c769c833d873b
MD5 hash: 791a1240d70a20f2b1383dc1bf8d6f90
humanhash: september-yankee-washington-yankee
File name:vaccine release for Corona-virus(COVID-19)_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:102'400 bytes
First seen:2020-04-03 11:20:11 UTC
Last seen:2020-04-03 21:07:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c8457ec39ff3f11c8e9a32890de9c8d (1 x AgentTesla)
ssdeep 768:2Lw2t5RT1oL4MFRrNhI0BgJreVJBuj0/p4P+O2k5BjBYzM5qeMrzA:B4toL4MFRrNiBJQoK4pDjBYziqen
Threatray 276 similar samples on MalwareBazaar
TLSH 1BA3E612BD51FD50C4104EB19DBAD3EC8129FC749D496A87BAC53FAE3C300A2B651B8B
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: mail2-ppa.jpcinet.co.uk
Sending IP: 212.113.198.219
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19) (contains "vaccine release for Corona-virus(COVID-19)_pdf.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587 (208.91.198.143)

Intelligence

File Origin
# of uploads :
3
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Generic-7647392-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 10:09:28 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqjsba44qsc6rxf57cwx6i3d64njmcoocctsclcsw2w2am6ifpcq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
17c1432427baae5d78a79ec3b031e7bd1cccdd7aa87f8334d828ed15669b8337
AgentTesla
2882a3ea96a1a8ecb97c338a9903d110b1f2859bd424e6e34153667b29d876c8
AgentTesla
2a8b84761200ff05a63ccc2f2f8d2d95e55bacbf3dfa425b6d0a1d0228fb8078
AgentTesla
5e65e89ec413345a3e2b5476b6e639423e955aa3a34e36d82d621ed15e53383e
AgentTesla
632562060da02f7ed5e92b1fe1bd94ce8d993cb134e93f8294beade2f0f42974
AgentTesla
739d40c80783a52ae341907b2996cac8a4a51189c176d9e3270a74c3e9d7779b
AgentTesla
db3dc621a55c6535d327ff8564558ad82edbf9ab1b424ab0d093df443b9562fd
AgentTesla
e424e9bbd3853459d205936d047a3bd08529ffb857dcc47a279e5c2c9fa820f1
AgentTesla
ef9a7d180675555b686e1c20b4a361bba647fb1b9248fb0b83ca034a6ddb6755
AgentTesla
f5f22da770bfd33da2fa26f353f66a96cb4fa0304b885949db4b2b50113b090a
AgentTesla
+ 266 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar fc2cc8b7cf51f41d40121d63c21c9ae1af4f8f6126b582ace5ed4a5c702b31c3

AgentTesla

Executable exe 041320839c8485e8dcbdf8ad7f2363f71a9609ce10a7212c52b6ada033c82bc5

(this sample)

AgentTesla

Executable exe 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2

  
Dropping
MD5 641b595a4f0d6fc67f702417eab2727b
  
Dropping
SHA256 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2
  
Dropping
AgentTesla
  
Dropped by
MD5 4715b05efb49029d9f7675b71881aa13
  
Dropped by
SHA256 fc2cc8b7cf51f41d40121d63c21c9ae1af4f8f6126b582ace5ed4a5c702b31c3
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaObjSetAddref
MSVBVM60.DLL::EVENT_SINK_AddRef

Comments