MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06920e2879d54a91e805845643e6f8439af5520a3295410986146156ba5fdf3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06920e2879d54a91e805845643e6f8439af5520a3295410986146156ba5fdf3c
SHA3-384 hash: 3ef193c567321e1eccc6e2aa022ace44745a34e243e8839b211d658361088fc362b59e9f2d57fb73144e019bfb20d805
SHA1 hash: 5f90af6d52de04026e5c8deb9ca5b8745ba35e8b
MD5 hash: 8b982b7be058cfe3889ef5a6c02c51f2
humanhash: sierra-carolina-table-oklahoma
File name:Vent_COVID19 URGENT REQUIREMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:445'952 bytes
First seen:2020-04-06 10:37:54 UTC
Last seen:2020-04-06 11:57:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 6144:goySS31HMuJQiiy+4i8yZJNsn1ihnJjLn+8MxzhtQUdZjew5g5hA2/By+xD:AWuzkfJP+/r5LjewA/BPx
Threatray 10'531 similar samples on MalwareBazaar
TLSH 4494E000B2A8BB22C67987F2402A62554FB1769F257DF3280CC6E0EF59B5F1545D2F2B
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: bjjingdong.com
Sending IP: 209.58.149.66
From: Diagnos Medicals <sales@bjjingdong.com>
Subject: Urgent Covid 19 (RFQ 27AD)
Attachment: Vent_COVID19 URGENT REQUIREMENT.cab (contains "Vent_COVID19 URGENT REQUIREMENT.exe")

AgentTesla SMTP exfil server:
77.83.117.234:587 (urc@emmannar.com)

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46410.5939.10529.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 11:36:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2ja4kdz2vfjd2afqrlehzxyionpkuqkgkkuccmgcrqvnos7346a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1304ed05b8f1d183feec8852f16c1f0ba3198388f437a339af62bd2974d8ebdb
AgentTesla
51c880ac2d8f67890282f3a3950fbcee91fde67e2d6c7e1cf3cf1d4f497bd73c
AgentTesla
7370ee1e9d1f0e92dab8c0815a9a0c08ddf06dd21fe7dc0743ceb4116ff0bfab
AgentTesla
74e87df85fd5611d35336b83dc132150327378cc06101ec3f40b84a9c8482d47
AgentTesla
816f726598eadf21f7ea537bd2f3fec111684cb72097a4a0ebedd9ee7626fb63
AgentTesla
95d835e5420469346f203795885997bacea62706a1d68fdedac0be0f25330a05
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
a2846e83e92b197f8661853f93bb48ccda9bf016c853f9c2eb7017b9f593a7f8
AgentTesla
b2039b0fadc93d87682989cd23067c9b049f2520c49722006e2340e3236a9918
AgentTesla
eaf438c55827cdc66854335ddd88907d8cfc389a4ddf02f8bfda152e5b1766a5
AgentTesla
+ 10'521 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 2fe3dfd467eed7f8245eecbe4011f909855fd21a35377598513bb148b0ba3332

AgentTesla

Executable exe 06920e2879d54a91e805845643e6f8439af5520a3295410986146156ba5fdf3c

(this sample)

  
Dropped by
MD5 a62dffc760de683fa492e2e794505c86
  
Dropped by
SHA256 2fe3dfd467eed7f8245eecbe4011f909855fd21a35377598513bb148b0ba3332
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments