MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87dbba2585c010769beba55cac0ddf7ab406664202cb17d7c463a48b22579923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87dbba2585c010769beba55cac0ddf7ab406664202cb17d7c463a48b22579923
SHA3-384 hash: 356d0063ec0d52bc8a437f64e38901bd9da23982e1d545acb00d3de258ff5deb81afdc2c732ba666adc915f55bbc9a57
SHA1 hash: 869f924b40b2dbb446402ffbd6cec53d9f5cf0b5
MD5 hash: 5037864a0aca041c3de460a6ad562b53
humanhash: timing-mississippi-november-five
File name:12000049_scan-PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:995'328 bytes
First seen:2020-05-01 11:16:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:mJgqgzFOzVtfZrM/E2JEybv8wfwwSFyypH/DwY6PFhdEA:FqgROTBMp97fvYh/36v
Threatray 10'832 similar samples on MalwareBazaar
TLSH CD257D2B3B856809D03D4AB050D99691A6767AC73D02CB4F79CB936C6F437CB3B0926D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zoli.bnbees.info
Sending IP: 178.17.171.122
From: sunny_sun <Prakash@hassounehgroup-co.com>
Subject: 12000049 交貨排程確認 - 請於周三中午前BY E-MAIL 全部回覆 謝謝
Attachment: 12000049_scan-PDF.zip (contains "12000049_scan-PDF.exe")

AgentTesla SMTP exfil server:
mederfashion.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 11:32:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7n3ujmfyaihng7luvokydo7pk2amzscalfrpv6emosiwisxterq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3e41dcbef535020f52b2e3ebe16a6b33dacc3b840d67eda323143edf5c4180c1
AgentTesla
51adbc71533c8f874ff31411729f5a7015a9f55870e6a71d6450082302899050
AgentTesla
7207b499520093d020dea1f5cda54b46f389f6c1ff8da0a5c9feeb1f0266177f
AgentTesla
87e83503b7b5d28b225ff66f44acb5b55e03b31ef63d56caff3cd8123155e4ab
AgentTesla
9521eb835f0b665867fd29206eca9c18df194cf8ce011ae04489f867c3db730b
AgentTesla
9fb5e1d1b16b1a20d4994176d4579a90dd2e0a87b0bb6cac123e9894278f61ee
AgentTesla
d8dd0f2a3379826e0b9ca6ce11f4fdd873c5918ff0cb4aa19e26c561154449a3
AgentTesla
d8e66bab8039e591aff2e2b55d77eda4fd3ac53c77d3c9c1f259db30e9f0008c
AgentTesla
e1ff7c1f8ccf2e6d990d34158fe517a1ec41c9208d07888d571fa52d3d398c5b
AgentTesla
f33e536c31c5aa7b5a463c4c9243b4369de785e06648ae076a8822f11797076f
AgentTesla
+ 10'822 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 84a0f17dc51eaf90c8e37bf6f8f322c8e3fc4c75723b5cc18fd2fb01134e92a1

AgentTesla

Executable exe 87dbba2585c010769beba55cac0ddf7ab406664202cb17d7c463a48b22579923

(this sample)

  
Dropped by
MD5 36fad1683c966cd144eddcb462428236
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 84a0f17dc51eaf90c8e37bf6f8f322c8e3fc4c75723b5cc18fd2fb01134e92a1

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments