MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 207d485dc8d7045b026b48f749be81e72b1cecc209a92809639df496b63eddd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 207d485dc8d7045b026b48f749be81e72b1cecc209a92809639df496b63eddd3
SHA3-384 hash: 8b86755993584ea20e64f53daa4ab95ed1cd25503874c566a71cb452d7e773b4c80d7ad5ea3de3e3132f2238df98f29c
SHA1 hash: e170f1f85ba5835b70aaad3aed9e2dce01996ec0
MD5 hash: 56ded7c8d7ace70e1246acea37bf6a82
humanhash: arizona-five-neptune-bravo
File name:090922209000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:824'832 bytes
First seen:2020-04-29 19:35:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 556c6a7e5f749bf800bb7913c54276f4 (10 x AgentTesla, 8 x Loki, 4 x RemcosRAT)
ssdeep 12288:jJtGIf+pco+KipZHb9GNTU6Bd1K/+71UWS331cWOTr0W7rRMtp56K:jLdfZhpFb6TU2uE19S3uWmr656K
Threatray 11'256 similar samples on MalwareBazaar
TLSH BF05B026E1D08877C1732A3C9C5B9774A83A7E103D29A8472BF4ED4C5F78691363A2D7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mono.avnam.net
Sending IP: 190.210.186.210
From: Sales <sales@valveandfitting.com.au>
Reply-To: sales@valveandfitting.com.au
Subject: Request invoice clarification
Attachment: 090922209000.z (contains "090922209000.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 00:52:02 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eb6uqxoi24cfwatljd3utpub44vrz3gcbgusqcldtx2jnnr63xjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2b59fb2c9fbc9f96a52c190ab272a383fbc87ae444ca0b10472f3d28cef226b0
AgentTesla
34f712cf924d76de4f93de3ddc9a0bb9a55b97bf64f2e36c7c0ae49ede694dfb
AgentTesla
48712d577e05014edb911b241b47d008fff6907920e41146f7c9a66a1f8ff52a
AgentTesla
4e572772b1f4f02a1cf0194b2d560638e1898f467827beb525dce28278baacc9
AgentTesla
71079b6770db403249ebaef088f4e3929d357ac797a470f64fd240e50a995a4c
AgentTesla
76e663fac059a1659275bf54e20ee9ee4667fdbd0c7a7a7c40b4fa472ce4e186
AgentTesla
87626640140d28f12ad7797fb1a99db9e448cea959f452664873f81231cb9087
AgentTesla
9160a75fe7bd27c3cb8141039d4c7383162b199454dfa285dd7d11f9fcfe52b1
AgentTesla
a574b201fa1b1b05d857cff48993efd19a3f700c55d6a7ea8ea9a1da30becb62
AgentTesla
a63dfd81e0eb6283bc0051a3c1f80ba0eb818d132aafe5e6a1cc3cd63a3433ff
AgentTesla
+ 11'246 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_yahoyah_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 335301dd68f7161ccb471bbfd8ce6dd5fac1291fb2f2c8273c5f19fd029bf11b

AgentTesla

Executable exe 207d485dc8d7045b026b48f749be81e72b1cecc209a92809639df496b63eddd3

(this sample)

  
Dropped by
MD5 62437b217d753f4f7181bb57534ed9b9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 335301dd68f7161ccb471bbfd8ce6dd5fac1291fb2f2c8273c5f19fd029bf11b

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments