MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50f42960eb882be0f35a1f4d15edb0ab6e8aea2211dbae7c358288f2b7846fba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50f42960eb882be0f35a1f4d15edb0ab6e8aea2211dbae7c358288f2b7846fba
SHA3-384 hash: 99d98878b1a538f09192d7e9c8712bbcf03caa9dc5faaee3ab2a70256cd01108ccfc66fc5243cf0318d2bea7f57ee367
SHA1 hash: ca8f5d6a121123165486ddcbe4450d151ecbbff9
MD5 hash: 716c1b40449ab88d7ee045b6628a27e7
humanhash: finch-blue-don-comet
File name:ford0104_smallzzzz originnn_11cr3.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'221'632 bytes
First seen:2020-04-02 04:29:58 UTC
Last seen:2020-04-02 06:08:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab4d4b8e2d3020b940f06432922fc22d (1 x AgentTesla)
ssdeep 12288:DbTR3uVHAH/9NZTJ0NpYFeDcDWSmz+uSIqh+FK4T7YyFZU8TpQME1HkJVjq7w+17:F+AAQ4TTFLlRJd8Uv5c0pmWa029Vfs6
Threatray 10'092 similar samples on MalwareBazaar
TLSH 4045EF50FA81C072F0B311B156BB87B65D39BD31072655C7E3D43E6A2E342D1BA393AA
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: wbsc.com.na
Sending IP: 45.143.222.201
From: HR@xxx <sg@wbsc.com.na>
Subject: (UPDATE COVID-19) CLOSE DOWN ORDER FROM CDC 4.1.2020
Attachment: COVID-19 CLOSE DOWN ORDER 4.1.2020.img (contains "ford0104_smallzzzz originnn_11cr3.exe")

AgentTesla SMTP exfil server:
smtp.agifreiqht.com:587 (208.91.199.224)

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46201.2593.3011.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Dropback
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 04:35:44 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kd2csyhlrav6b422d5grl3nqvnxiv2rcchn247bvqkepfn4en65a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
0eec03f91bdb47839b74e2349be4173e9a6597eef7bfc38d718af770251487ff
AgentTesla
38206868d99ebc4c53f8f33daabe052724c36d71382bcbc98a37d12f0482261f
AgentTesla
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
50762c245b64ddede69fe5db39aec6c4c31bbb18520c6696368aa39ddea03006
AgentTesla
6fadee8038751819aef12bc1abc18e17efbc53a8cdfb977dc5cde08e5d0c1552
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
8d2625935b4f6a1a8f1698ec24d609319f9f1f86811e1e36f198e9467c3103b7
AgentTesla
d43c6aba8577d6f6e846545d25587748ff13e676320936f4c3104ba94e22e24c
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
+ 10'082 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img aedf3ee1b6ce171fdfe2febcc113d8b0d86a80fcd27da892acda42ba9ed9b4c7

AgentTesla

Executable exe 50f42960eb882be0f35a1f4d15edb0ab6e8aea2211dbae7c358288f2b7846fba

(this sample)

  
Dropped by
MD5 4d82f1a04183474ac2d185d2ce736ed3
  
Dropped by
SHA256 aedf3ee1b6ce171fdfe2febcc113d8b0d86a80fcd27da892acda42ba9ed9b4c7
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_APICan Play MultimediaMSVFW32.dll::DrawDibOpen
WINMM.dll::mmioAscend
WINMM.dll::timeGetTime
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
wer.dll::WerReportCloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetSystemDirectoryA
VERSION.dll::GetFileVersionInfoSizeA
VERSION.dll::GetFileVersionInfoA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptEncrypt
ADVAPI32.dll::CryptGetHashParam
ADVAPI32.dll::CryptHashData
ADVAPI32.dll::CryptImportKey
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::WSAIoctl
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments