MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b118ca52854a3b93972f45bb855b53619989ccd40bda3e9c5ec068690e63175. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b118ca52854a3b93972f45bb855b53619989ccd40bda3e9c5ec068690e63175
SHA3-384 hash: ef1fd42de4ec5816366943baa7561683e6557347cac2dfa39e8ff7d2cc4c02349a7eaff8aa1f7967c6f470b3d14dce83
SHA1 hash: caed8931582103f3f2a5403c67da3e5ec2f5fa98
MD5 hash: 06743dcd7600d023c38782c676ed400a
humanhash: finch-mike-island-nine
File name:Covid Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:492'032 bytes
First seen:2020-04-30 06:08:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:dpNpu1Y/u+dwtsexLG5VD8e4uH66g7lYNRvh8kDvS:dpNpuMu+dwtsgEfx6RlMv
Threatray 10'534 similar samples on MalwareBazaar
TLSH 1FA4D0AC765075EFC8A7CE32C9A85C20FA5170B7530BE343984B169D994DADACF142E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cgc-kw.com
Sending IP: 37.49.230.116
From: Ranjith.valappil@cgc-kw.com
Reply-To: Ranjith.valappil@cgc-kw.com
Subject: New Order
Attachment: Covid Order.gz (contains "Covid Order.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 08:43:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmiyzjjiksr3sols6rn3qvnvgymzrhgnic62h2of5qdinehggf2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04a9ddb426b6bc9febd1f0fdf436cde01976a37b8c99fbbabbd0076ac4a0be92
AgentTesla
1e52eae0d858b4fcdd21d5ffcc013da8706adda92afbb791e704556362b8f19c
AgentTesla
62433e4de86d61a56cfc3333382d8a43d666a4839415a88ceca53a0754e06636
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
97c3cf905c068daf00bbc9c10810ff4437d953c3263e962b0454d0babcfe5494
AgentTesla
ab6bbb348634bfb3df677d9b6c1c9ae03d1fe404847cb2e688ad88d978f67188
AgentTesla
c371004e8407621dcf815c95f130ef0bbfeec0dfcee1433800e56a9b247b8702
AgentTesla
dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e
AgentTesla
e81d6248c4a2573bb76f309ae753dcea56596aec8c516d22509e479cce758e8b
AgentTesla
+ 10'524 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 30f4f7e183705122849741988a0005590cd0a95287abd7b03a09a0b878b468e9

AgentTesla

Executable exe 1b118ca52854a3b93972f45bb855b53619989ccd40bda3e9c5ec068690e63175

(this sample)

  
Dropped by
MD5 709e121dbe82bcd02485e70b056fa613
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 30f4f7e183705122849741988a0005590cd0a95287abd7b03a09a0b878b468e9

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments