MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4587ca2f64d875b1d6e41906a820696f7d9d813f8f8401b6e0728cfbb348415f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4587ca2f64d875b1d6e41906a820696f7d9d813f8f8401b6e0728cfbb348415f
SHA3-384 hash: c9290721a3ec61211965075446fc43dd3317038a39e6c6d05ba4b60440a915da301d9a32d689f0932b3d764fc8cd02d5
SHA1 hash: 9b9c1b4ce87a484331677cdd2ad05d46c2a1f43f
MD5 hash: bbb8e97baf68937ad4d37f1ee142b581
humanhash: hotel-oklahoma-twelve-ack
File name:PRODUCT LISTS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:450'048 bytes
First seen:2020-04-01 12:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:WH2iNMHQdCbxoBR/+nWDkRUup7kCSHgb4O6:g1KwnkWup4HkZ6
Threatray 1'674 similar samples on MalwareBazaar
TLSH C6A4122173188A3BCD6809FC25139950A3BAB3251152D3CE5CE953EF4EDA7DA5702BB3
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: linux1117.grserver.gr
Sending IP: 95.216.16.146
From: U.S. Department of Health & Human Services <Hubert@ushealthdep.com.us>
Subject: URGENT NEED: U.S. Department of Health & Human Services/COVID-19 Face\x0a Mask/ Forehead thermometers..
Attachment: PRODUCT LISTS.rar (contains "PRODUCT LISTS.exe")

AgentTesla SMTP exfil server:
smtp.bapipl.com:587 (208.91.199.224)

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46147.462.3452.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-01 12:35:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwd4ul3e3b23dvxededkqidjn56z3aj7r6cadnxaokgpxm2iifpq._file
Verdict:
unknown
Similar samples:
202e40782853b6efd0c62a2cbdf33891463302014b21b026ef35d51e2d889bac
AgentTesla
3147804cd376f42bc7b89614a40adf096b91391c1f768e9926b69951f8e09db1
AgentTesla
4a0e435e16417fce4124563f90343d490f2b7efb9192ca11e42d593be7e8a84a
AgentTesla
6c34622d44f5902532e5a5d62413bf96700fad63b9ceb5fe64f64e1e53c0e889
AgentTesla
90389790309ed963a0908cec1a9a6866ae0c6e41c8103454f3a311bc93a21125
AgentTesla
a6cc097da2bee5d66e38a786047089065ad694607297795f7088847cdcb1643e
AgentTesla
aa7cf195c540803383a53aef054355871842e7ff152e96e4a838d07d3bbc6de1
AgentTesla
af72965aecd13c67c0e1416b597871dfe4ded290d17b4e267cce1e7bc6002e52
AgentTesla
df54803a477f2cc519ec0a1643cf2f4a63b3b260b8a6f43372d733629f1f3b03
AgentTesla
fe41fe0b302887f61f20473015f386ab57ddb4cc278b3e1639c07337012a58f4
AgentTesla
+ 1'664 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ef4f226faa6c2cc57b44e919030efad68bedb81613d4d04eaf88e468249ff3ee

AgentTesla

Executable exe 4587ca2f64d875b1d6e41906a820696f7d9d813f8f8401b6e0728cfbb348415f

(this sample)

  
Dropped by
MD5 124c4a26de5791f9e3b844112e6e2557
  
Dropped by
SHA256 ef4f226faa6c2cc57b44e919030efad68bedb81613d4d04eaf88e468249ff3ee
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments