MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
SHA3-384 hash: 5f5b1f30c8e30bf12db740a5ffa2077419de1082695b9ee4fef40aa15ac56d4172a9ad9331fe5e2323323338e26d2fa4
SHA1 hash: 9d1962370ee2d24bd39893f5e34f8447d60f0ccf
MD5 hash: fb94a873a87e7feb02b3178566e364d7
humanhash: massachusetts-spaghetti-monkey-charlie
File name:WARNING OF CORONA VIRUS COVID-19 BEWARE! COVID 19 IS WITHIN!!!.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'020'416 bytes
First seen:2020-04-07 06:59:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c5e26694677f289b4128062081b2365e (1 x AgentTesla)
ssdeep 24576:eJs5zbW+MmtE6ZiaiOFL1V/mnPSfhrIKRmp5gwy:eJs5zw2ZioL/a4rIKwHTy
Threatray 11'885 similar samples on MalwareBazaar
TLSH CB25AC2FD9696422EE9A1532C4A04FD9953BAC143321DBCBB896BF1931CC781717F70A
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: 162-241-214-72.unifiedlayer.com
Sending IP: 162.241.214.72
From: HR Department <HR@victim-domain>
Subject: CORONA VIRUS COVID-19 PANDEMIC IS WITHIN, BEWARE! WARNING!!! WARNING!!! WARNING!!!
Attachment: WARNING OF CORONA VIRUS COVID-19 BEWARE COVID 19 IS WITHIN.IMG (contains "WARNING OF CORONA VIRUS COVID-19 BEWARE! COVID 19 IS WITHIN!!!.exe")

AgentTesla SMTP exfil server:
smtp.recornit.com:587 (208.91.199.223)

AgentTesla SMTP exfil email address:
sales@recornit.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 07:36:13 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bjxvq6mvop4nytflhtvurazjajdaxcj3yvqhzn323yzsw7kphkiq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
4308234f18880f2b6ba5023f8870147f5c7888ff1ebf418930b18854aac069b4
AgentTesla
4771ad2ea30c1ac1dbf9e6358478b9fd0d6525a4b9c19e0610f7accd1d1151af
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
9078f24603c107de0a603985cdc97c1dbf9af3cf4571c78a030c41e825ddd7d8
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
c3820448fb9d548a6e581c0fbf4bb3716d2cb945ba790a8fab3fd02ac3ec844b
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
+ 11'875 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 10aff3d670cd8315b066b6c5423cf487c782ac83890aa4c641d465ef2df80810

AgentTesla

Executable exe 0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91

(this sample)

  
Dropped by
MD5 725e46bfaaf254c608d70836ba89734e
  
Dropped by
SHA256 10aff3d670cd8315b066b6c5423cf487c782ac83890aa4c641d465ef2df80810
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcEpResolveBinding
RPCRT4.dll::RpcEpUnregister
RPCRT4.dll::RpcErrorAddRecord
RPCRT4.dll::RpcErrorEndEnumeration
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::ImpersonateLoggedOnUser
SS_APIUses SS APISecur32.dll::QuerySecurityPackageInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::CreateWindowExA

Comments