MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 086c1521c7a0fbd3682735839bb71e477a3b58925fb20822b92971fba0cf8e05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 086c1521c7a0fbd3682735839bb71e477a3b58925fb20822b92971fba0cf8e05
SHA3-384 hash: f5ddc9b5f7f35996048c04aaad9f5ad7a131eb080935fc49045c252e7db07f9f922b6f954550bae4dfaa795207554250
SHA1 hash: 2e240b7b1038bbaa03443818cb82f1e9bcf69d8c
MD5 hash: 4cc0b03cd04cbd6578dd8571680ca448
humanhash: carbon-mirror-four-zebra
File name:Delivery Status for Shipment of Goods.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:848'896 bytes
First seen:2020-04-03 05:48:28 UTC
Last seen:2020-04-03 07:18:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a2e488bb8211c84ecadafdfe470552d (6 x AgentTesla)
ssdeep 24576:ogY0Nu2QbdZspe3kI2eol5CHEiff9c9ygKdxj:zY0NiDspHI2f5CHEWc9Zgj
Threatray 10'958 similar samples on MalwareBazaar
TLSH 2A052309D0D6304CD5992D7532AA79E40C7870B52D9E3E43AE48DAED3B398E7DAD4323
Reporter jarumlus
Tags:AgentTesla COVID-19

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 06:35:29 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bbwbkiohud55g2bhgwbzxny6i55dwwesl6zaqivzffy7xigprycq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
AgentTesla
39436f7a65addc64e6d315ff21c45378e897fe5ec175b8d4e3879ba83a41ce6b
AgentTesla
765d4e32e33979b9ee122877162ddb3741a2cc7df514b96b637e28651399be70
AgentTesla
9e89e61ca7edd1be01262d87d8e8c512f8168f8986c1e36f3ea66a944f7018fa
AgentTesla
c566031f2311f0c6769a2bd7280e2b58760ef3df4090b37e542f2f911cbc4f49
AgentTesla
dde1a479210f5225b0312ff6d155d870a094837a26338d594fb431134449aa16
AgentTesla
edced06a3011186bdf81b8e16739f41cb226ce9fdd57e9d8d006da27874aea65
AgentTesla
ee2f0d83f28c06aee4fc1d39b321cfc2e725fe2c785c4a210bb026e2b3540123
AgentTesla
ffd1a82e1d23f8ec7cc030091831a3977a1a1247790f8bd3d436c551059e9375
AgentTesla
+ 10'948 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments


Avatar
commented on 2020-04-03 11:36:23 UTC

COVID-19 themed malspam distributing AgenTesla:

HELO: bellnet.ca
Sending IP: 156.96.58.98
From: Logisitics <gruchallainteriors@bellnet.ca>
Subject: Pending Delivery Status for Shipment of Goods (International transport - COVID-19 - Update March 31, 2020
Attachment: Delivery Status for Shipment of Goods.zip (contains "Delivery Status for Shipment of Goods.exe")

AgentTesla SMTP exfil server:
mail.kanzen.com.my:587 (110.4.46.52)