MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bdd08d6795379ec86f205b7f1be9c2b638fe95a21ec55a8700a7c6d2363f68f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bdd08d6795379ec86f205b7f1be9c2b638fe95a21ec55a8700a7c6d2363f68f
SHA3-384 hash: b26bcbbedec2c873001b185966fc3b69246c775d040299cc41152dba96a08323d3aabfd837b3088709e4e9203428c31d
SHA1 hash: 0cbf76f36f7dab333a91fcd71bd74ffdaa8463ad
MD5 hash: b757af52b0dd7e97d801f22f8d4ee432
humanhash: uniform-emma-kansas-gee
File name:2399_DCMP_1004202.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:456'192 bytes
First seen:2020-04-29 17:32:37 UTC
Last seen:2020-04-29 19:05:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:cywK1G1QRGMU2sYoaeFTbFfhCyvkZ55SeVsHMPv:cLK1G1KU2MakTbFfhFkZr
Threatray 10'499 similar samples on MalwareBazaar
TLSH 94A4CF6C764075EFC867DD3689A46C10FA10B4BA530BE353E45B06ADA94DADBCF102E3
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp.safemail.it
Sending IP: 147.123.1.124
From: Secretaría de la Coalición de Negocios Globales<info@globalbusinesscoalition.org>
Subject: Coronavirus - DPCM 29/04/2020 e comentario de confederación

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisB757AF52B0DD.13451.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-7758947-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Rrat
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 11:53:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpoqrvtzkn46zbxsaw37dpu4fnry72k2ehwflkdqbj6g2i3d62hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4dd2b414c77ad5e60685dd8afbb92d5bf6e3ed11edfa368ae0b8b042c7cec53b
AgentTesla
518f61b23eb64a58b3bc75b881de46dbbf852a3f77ae3677d5763caeb2ad913c
AgentTesla
51d2148d14e4b9f01226e3e53fa73e45fb67bf73037a68e032316954ca7babbc
AgentTesla
623e37acf038d163685f53206e0a5090a2178b7b9a4788ab5fbbf24f723d1d55
AgentTesla
6fc32bb95555c9c2ed28b12a287e838afac9a1d7888aa022ce494ce0b75a640f
AgentTesla
b775d2aa67b592663e6302c3978819d81716854281936e3e800720aaa06b25c7
AgentTesla
c11379bd7e59df5f1715c22cb396ac9b5c5233867936e29aa7f27b9e3b410f7e
AgentTesla
c6c1a098e493a3c1352af758cd13093b1d7c395f3d0bd3a5668a6121ec5896d5
AgentTesla
d444059c72ee1b5b335eed7d5985b959c831d4508860222eb277683e77d02eb7
AgentTesla
fe996a84af7536042d8dd2fa09dd6a46120e5efa926eca53de867f74cb0130ad
AgentTesla
+ 10'489 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso d0211802a977e1e9f87a6f2bbd760170f4d0c0773d99339247f9b78867d8815a

AgentTesla

Executable exe 5bdd08d6795379ec86f205b7f1be9c2b638fe95a21ec55a8700a7c6d2363f68f

(this sample)

  
Dropped by
MD5 69f055607b19850e51ac46ec38e4255a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d0211802a977e1e9f87a6f2bbd760170f4d0c0773d99339247f9b78867d8815a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments