MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4771ad2ea30c1ac1dbf9e6358478b9fd0d6525a4b9c19e0610f7accd1d1151af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4771ad2ea30c1ac1dbf9e6358478b9fd0d6525a4b9c19e0610f7accd1d1151af
SHA3-384 hash: b7febbee83156371e9e00af942c3d2750ec77f5d15cfb18f260e70473b85b484730f47ff41d2736030c2c1de7e15b001
SHA1 hash: d3edafbb0025f024e48ab7dd7c3161d5f6081198
MD5 hash: 4b7d782e9374dbd44819b941cf0ebdde
humanhash: september-floor-arkansas-lactose
File name:Document 13042020-245784672009856905957758598.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'562'112 bytes
First seen:2020-04-13 08:27:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2536b94028a679402c21327e48c73db (1 x AgentTesla)
ssdeep 24576:odG8BXzevU130jYxANjNT6FQm1aLHhW4EhGqT+NuJsHKq7+tWBvJ/h6D4tt5VqzT:2G8VeK72LrEhjqbKqatWj/h6Ea
Threatray 9'074 similar samples on MalwareBazaar
TLSH 1A75D182F6C190F1EA910071BD65D7AE5F327C118D20EA17E7D83E1F8ABF5406A2B275
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: server.eurolotteria.com
Sending IP: 142.4.9.187
From: Managing Director<md@victim-domain>
Subject: Evidence Document Containing Staff Misconduct During This Period Of COVID-19 Pandemic 13-04-2020
Attachment: Document 13042020-245784672009856905957758598.img (contains "Document 13042020-245784672009856905957758598.exe")

AgentTesla SMTP exfil server:
smtp.maizinternational.com:587 (208.91.199.223)

AgentTesla SMTP exfil email address:
sales@maizinternational.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Kuaizip-6840562-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-13 08:35:22 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5y22lvdbqnmdw7z4y2yi6fz7ugwkjnexhaz4bqq66wm2hirkgxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
373bbf9fe0aa747106f165d07c474e8e73c891e0150c87c90d8f389a3621c044
AgentTesla
4917103eef77ce8fd5beb88efd446180445e0ee6ac933f5e42443d3673d62bc8
AgentTesla
6dc407eb41b8a813558364ae42dcdcce2019209615cc73141b9b6b91de15fd29
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
b00ffbe33a4398cdfdb136564f24dfd6ff292b11a9adbc4041aa2a532af6edfb
AgentTesla
bcc826091ec71230947aa1916263434935a58ffe5977cf415b1d970633939652
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
ddd78da962ab1cd6366af9c647daaa7f234e8125c62b10cab1eeb715f4c0e514
AgentTesla
f6fc7442449ac48b039f5e29230bd26383b62bee2a050f5e81553755b69e6f25
AgentTesla
+ 9'064 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img dc502f9df7767e1a0a01e13dad15920112230534f92d274ba0fd317c2e0b1cfd

AgentTesla

Executable exe 4771ad2ea30c1ac1dbf9e6358478b9fd0d6525a4b9c19e0610f7accd1d1151af

(this sample)

  
Dropped by
MD5 aada636cf06553519c9dbd14b3bd191b
  
Dropped by
SHA256 dc502f9df7767e1a0a01e13dad15920112230534f92d274ba0fd317c2e0b1cfd
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipAlloc
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetConsoleCursorPosition
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::ReadDirectoryChangesW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SCARD_APISupports Windows Smart CardWinSCard.dll::SCardEstablishContext
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSAIoctl
WS2_32.dll::WSARecv
WS2_32.dll::WSARecvFrom
WS2_32.dll::WSASocketW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::CreateMenu
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExA

Comments