MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 976abbb8f188572f8f2dc301739f6edf94fae0ce2ae30d633f82df36ea79a42d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 976abbb8f188572f8f2dc301739f6edf94fae0ce2ae30d633f82df36ea79a42d
SHA3-384 hash: b698ec2ff5969f87e320a7a1a60261fffc1bb5b187b57d5de81b009e073fcbe66d766ea8c75db8cdb7312d4d32b64ba3
SHA1 hash: f6a34db7cb577f61b1405d816b7125310b6833b2
MD5 hash: aad7c3f862ae2427136e919f741bad83
humanhash: zulu-eleven-uniform-foxtrot
File name:Cotización de productos anti COVID-19..........pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:510'464 bytes
First seen:2020-04-17 09:41:41 UTC
Last seen:2020-04-17 10:42:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:z5D98UU11ahvIf04mrXm29ujgGkUJ0d8PpgkdmXU3rnnqeAmmFhYsWl6UNTxBxOa:lD98UYaifX27G3J6UrnrA3FhwnNTxKzu
Threatray 11'104 similar samples on MalwareBazaar
TLSH 10B4BF0A8F84682FFEC593F4F5593144A338E0A5A607FBC21F3A63E0459D356A0B759B
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: mvegypt-server1.mvegypt.com
Sending IP: 64.235.40.5
From: marketing@medicaldimegar.com.mx
Subject: Presupuesto para productos Anti COVID-19
Attachment: Cotización de productos anti COVID-19..........pdf.7z (contains "Cotización de productos anti COVID-19..........pdf.exe")

AgentTesla FTP exfil server:
ftp.motocoroneos.gr:21 (93.174.123.235)

AgenTesla FTP exilf user:
offshore@motocoroneos.gr

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.47449.11984.25857.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-17 09:50:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5vlxohrrbls7dznymaxhh3o36kpvygoflrq2yz7qlptn2tzuqwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04fd9df0e5ec9e9f2ddebfa497adbe3c57876dd52d8b778cee3701f21cf02986
AgentTesla
12afcd370e4beae67e78b936b7ba8035642ea4e5921a332b0a8ffac8452fa0ac
AgentTesla
285dfcf7b80c7e082218135e3b93eecd1b623ef2a86c5d3bdf9c51978d1ee62f
AgentTesla
2f9fbabd46b8c8138bb4a0a981a5c5ccc6abc958016cbc82fead927ff46e777f
AgentTesla
47d7d58ecc205502ab85b2f74d462e55b5d1e676d71d94a2a553df482350190b
AgentTesla
56c86f76934005ff25803fc7b71dfbde700ebe9bec9fa69959c16672fd458e59
AgentTesla
70e99108b5577011f7484785487d9cb5149dd1070138fa121407658053322cdd
AgentTesla
8d8991fa8728e69af3d21272ddca73ae8eac076e105058a6901ad831bed64aa7
AgentTesla
ccbd1c75dcdc38d5e34a96583e808c960836e85d76e87de04c13ea420d380286
AgentTesla
f18587b09cc9e48c6fcc74391510ba261d04cd3a788201aec2375d97a87f486d
AgentTesla
+ 11'094 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 5bc36bac58d13e2584d5390cf6e7c05e89018a6fe83476de6488dbb6b05be014

AgentTesla

Executable exe 976abbb8f188572f8f2dc301739f6edf94fae0ce2ae30d633f82df36ea79a42d

(this sample)

  
Dropped by
MD5 47e6ec015e69186ffa86cb96100975b2
  
Dropped by
SHA256 5bc36bac58d13e2584d5390cf6e7c05e89018a6fe83476de6488dbb6b05be014
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments