MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93fb5df147c1af971f4f601145b7eac3efc2699f9a6a57b0f879271ce9d3c28a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93fb5df147c1af971f4f601145b7eac3efc2699f9a6a57b0f879271ce9d3c28a
SHA3-384 hash: e83000df8f15616fe9b066ead708cd96280f1f3c6ae1e204062e8c2d3c700703bcd371efe68d98f590832d12a9b54e0f
SHA1 hash: 6f2332ae1ea513d749c95b1ccd2bd2995a044acb
MD5 hash: 312b10c4d76eb797a7d56225175d5a5f
humanhash: lion-wyoming-social-six
File name:Pictures Of Two Staff With COVID-19 Positive scanned from a xerox multifunctional device001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:986'112 bytes
First seen:2020-03-31 12:05:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 58643c78e727916d72ac73a108eebb8d (1 x AgentTesla)
ssdeep 24576:zpX+vbOFLePocAGpW0+9lAxNLkhcn/T+chbgSVC:KIepAGM0+9lArLkynVgSVC
Threatray 10'528 similar samples on MalwareBazaar
TLSH 1525E042BBD2D070F4D20D39877386B79ABA7E149F218DD7A3D43D19A8301C0AAB975D
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: business64-3.web-hosting.com
Sending IP: 198.187.31.71
From: HR Department <support@sunnyleone.website>
Subject: Corona Virus COVID-19 Pandemic Notice! Notice! Notice!=
Attachment: Pictures Of Two Staff With COVID-19 Positive scanned from a xerox multifunctional device001.img

AgentTesla SMTP exfil server:
smtp.maizinternational.com:587 (208.91.198.143)

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-03-31 12:57:00 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sp5v34khygxzoh2pmaiuln7kypx4e2m7tjvfpmhypetrz2otykfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08f2608e738af40f8ba5a8d34435c988fad03aa07bad9d068379a3134ceaf42e
AgentTesla
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
3b14e1d76426cce9efbb31dc83050a145a304e91c1089a2f51f2fda8c9bb0c7d
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
b93b0f1932df3b275412f8069e92abd4090a6fcbf91920924532a784d5fc3cc0
AgentTesla
cca0f42988d384833c872216a19d67b85393162929e93b87f752f55545b12b03
AgentTesla
d042869b3fe80a8b4c25c8b5bb76e6e66610dd313def5b0a7b35f5d44123cb8e
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
ea00e61f682dcda07a223e3812f6b87b2182a3dd9999a6872563ea709bc2d282
AgentTesla
f688b463a057afb9a38b9c380035f17579bc1f4b12b8041a5c5f388d11ff9158
AgentTesla
+ 10'518 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img d21d5a4ceec6756994974a457e91e5598276783bdeb20a90b366d7137cf9ccb5

AgentTesla

Executable exe 93fb5df147c1af971f4f601145b7eac3efc2699f9a6a57b0f879271ce9d3c28a

(this sample)

  
Dropped by
MD5 db468e02f6e6e40f542cbb6e84260076
  
Dropped by
SHA256 d21d5a4ceec6756994974a457e91e5598276783bdeb20a90b366d7137cf9ccb5
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_APICan Play MultimediaWINMM.dll::auxGetNumDevs
WINMM.dll::joyGetNumDevs
WINMM.dll::midiInGetNumDevs
WINMM.dll::midiOutGetNumDevs
WINMM.dll::mmioStringToFOURCCA
WINMM.dll::waveInGetNumDevs
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments