MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74e87df85fd5611d35336b83dc132150327378cc06101ec3f40b84a9c8482d47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74e87df85fd5611d35336b83dc132150327378cc06101ec3f40b84a9c8482d47
SHA3-384 hash: db6c997cc9143839dbf828f93078a03b4f9650a23887ee38cfe0725f5a1e06599feb569b6509cbdca6d95b7023b0050d
SHA1 hash: b88da1b3a633beb8fa924349e39744a55c3aa4ea
MD5 hash: b1d52a98444d26b17885f8dbef3060b9
humanhash: violet-friend-emma-east
File name:General terms & conditions for procurement.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:456'704 bytes
First seen:2020-04-06 09:33:49 UTC
Last seen:2020-04-06 10:55:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:kuVRWXdUz6cPmHfYWRdOCkY/ddl2p9Cc/z1nDCQ:ZWXdTcSfHRbkGdip9Cc/z1uQ
Threatray 10'573 similar samples on MalwareBazaar
TLSH 14A4D04073765B6ADDBE87F71125624027B1652F79AEE3244CC2A0EF1875F404AE2F2B
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: gki.com
Sending IP: 212.114.52.146
From: Yousuf Muhsin Zahran Al Nabhani - UES <YNabhanl@gki.com>
Subject: Urgent Inquiry For COVID19_RFQ for Document No. UES/SCM/002 rev 1
Attachment: General terms conditions for procurement.7z (contains "General terms conditions for procurement.exee")

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.34125.7999.28836.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 05:00:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=otuh36c72vqr2njtnob5yezbkazhg6gmayib5q7ubocktscifvdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06920e2879d54a91e805845643e6f8439af5520a3295410986146156ba5fdf3c
AgentTesla
31de84180c22ca65bc34ba7c57f9a89072332de81061111c9cfe118252d52713
AgentTesla
48cb0c4fdfb4205cb6453b225e6b0d52a0eaff3dec5d500d9b781e716fd4c394
AgentTesla
51c880ac2d8f67890282f3a3950fbcee91fde67e2d6c7e1cf3cf1d4f497bd73c
AgentTesla
7370ee1e9d1f0e92dab8c0815a9a0c08ddf06dd21fe7dc0743ceb4116ff0bfab
AgentTesla
95d835e5420469346f203795885997bacea62706a1d68fdedac0be0f25330a05
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
a2846e83e92b197f8661853f93bb48ccda9bf016c853f9c2eb7017b9f593a7f8
AgentTesla
b2039b0fadc93d87682989cd23067c9b049f2520c49722006e2340e3236a9918
AgentTesla
eaf438c55827cdc66854335ddd88907d8cfc389a4ddf02f8bfda152e5b1766a5
AgentTesla
+ 10'563 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z e3dd933998c5ecc3abc9a27c70a43f33ad3a022eb4cc61155183f7f817d0a37b

AgentTesla

Executable exe 74e87df85fd5611d35336b83dc132150327378cc06101ec3f40b84a9c8482d47

(this sample)

  
Dropped by
MD5 88ff6a84964f651a5a4c2008bc0bd66b
  
Dropped by
SHA256 e3dd933998c5ecc3abc9a27c70a43f33ad3a022eb4cc61155183f7f817d0a37b
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments