MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 087697d241c62f0668f25caa7c739611b4ab1ff5ff7fba466757e67aa5e3a608. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 087697d241c62f0668f25caa7c739611b4ab1ff5ff7fba466757e67aa5e3a608
SHA3-384 hash: 66e3e2b51bac02a957819dd974c75c55518151031249741acba0fd799ef08acf45f25fd34a6095436d64d01d4e75380f
SHA1 hash: 0e57da7db883172c169461f25940feb75ef7866a
MD5 hash: b7b3ff3f7e197049db7c20001f0ea2e4
humanhash: muppet-two-michigan-fillet
File name:CoVid19_BAH.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:389'632 bytes
First seen:2020-03-30 11:00:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:v9JDx1LzVBm3efN9Nnfa0WBfML2CVTCYR6rTIIOI84M1EI9botgiGqGbQeu/pZsD:v9JDHzVBmufVfaXJML2CVTCYkTRDwE2x
Threatray 10'458 similar samples on MalwareBazaar
TLSH 39841264AA5862BFCFCF14789422B684D33A860654D3FB4D9D84B8B456F73C34902BBD
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgenTesla:

HELO: slot0.taweelholdlngs.com
Sending IP: 104.168.149.238
From: "Rico Tam" <info@taweelholdlngs.com>
Subject: We can sell surgical masks, a thermopile IR sensors to help you fight the COVID-19
Attachment: CoVid19_BAH.PDF.rar (contains "CoVid19_BAH.PDF.exe")

AgentTesla SMTP exfil server:
mail.cargoair.bg:857 (91.230.195.25)

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.45990.27361.29315.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 10:40:34 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bb3jpusbyyxqm2hslsvhy44wcg2kwh7v7573urthk7thvjpduyea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0706ececad9a0a3c7873b3f48625d31a78c9e82374d2f629d477677a649ec26c
AgentTesla
1a7fe9f45a80c2dae0237cc9aada201d3fa5eca08bfbc297e48f22faa35f131e
AgentTesla
420d2d11f2a47d6001c52c27be90bb4c1221242af9b5c44381d0012e84aa75b3
AgentTesla
4b8b49bdfa435d0faba2e3964b04e20bbfc86aa4ffc3c3b8e1449894892f125b
AgentTesla
5ca99517ae76972d3dab6e51515a57e15e75e7bb7c3a7e16228f770fcc7833e9
AgentTesla
617f064cf0b429f8b08e269b8e53ef611a1cfb4bbf329e8683709d0d0e4f17f3
AgentTesla
80e321d63e5c084fbd8c213f315e9eb7e56b7fffdbeb48c2c35f9e172bba9c36
AgentTesla
af090158e0913e0202e9e61d41dd891e697e1b2bfa59cdda2c81da1067ac5e79
AgentTesla
c48ab81f93ccd69c6d2b796cb4f431db97179480bf6251b715347b0b32dd500e
AgentTesla
fdf384c1cbcfbcd1bbb814f9d80ddcc4d2b3c786fda29c3a48ef7cde8f08d78f
AgentTesla
+ 10'448 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 25930169faa350b9836332d465571ac350970b4a3fa17a95d6dfe31e797c5d71

AgentTesla

Executable exe 087697d241c62f0668f25caa7c739611b4ab1ff5ff7fba466757e67aa5e3a608

(this sample)

  
Dropped by
MD5 cb24a2db014652e365f85a294dcc42f2
  
Dropped by
SHA256 25930169faa350b9836332d465571ac350970b4a3fa17a95d6dfe31e797c5d71
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments