MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6cf05f1629ac05fd96e9a535de21a9112c854de8e39f3cd407143759e656b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	a6cf05f1629ac05fd96e9a535de21a9112c854de8e39f3cd407143759e656b71
SHA3-384 hash:	85b704ada040051a8c3e49d300ce4aa4c9e9b0e868dc34d8e2be70c127d47e9bf0020b55e3918390ac06f78d0034e48a
SHA1 hash:	769d43be33063a950faaedeb1a42ebc8ee8f70cb
MD5 hash:	713472f463fe7966d1d62d1df8fe255c
humanhash:	wyoming-florida-tango-undress
File name:	CF&FDA Certificate Test Kits covid-19.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	601'600 bytes
First seen:	2020-04-01 13:52:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:ujK2iNEXWRPV6N1dYJtHBg4zTIWL06sYAwNWEJbKESSk:gK19RtE8tS4zMWL0vYAwS
Threatray	10'856 similar samples on MalwareBazaar
TLSH	06D49C4B31EC21CFC49E89715E65FF1CA6243D225616CD0AAC53F69C643CA428AF35BE
Reporter	abuse_ch
Tags:	AgentTesla COVID-19 exe

abuse_ch

COVID-19 themed malspam distributing AgentTesla:

HELO: server.clinicasom.com
Sending IP: 185.76.77.225
From: sales Trading LLC <soporte@clinicasom.com>
Subject: Re: CF&FDA Certificate Test Kits covid-19
Attachment: CFFDA Certificate Test Kits covid-19.img (contains "CF&FDA Certificate Test Kits covid-19.exe")

AgentTesla SMTP exfil server:
smtp.ge-lndustry.com:587 (208.91.198.143)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject3.37269.15666.23612.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-01 14:35:30 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u3hql4lctlaf7wlotjjv3yq2sejmqvg6ry47htkaofbxlhtfnnyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

36a2f14e47f2e356a86679b2d3812576257978f2e8b9d4e2c16c884f4efb38b7

AgentTesla

6284dcf3ae02ff5c558baf2a35f9fceee1aed4fe200f333ca65a61a41cb96d69

AgentTesla

74dd17973ffad45d4ffec5744331335523b2e25ef04c701c928a8de6513a36aa

AgentTesla

81eeadcc2553fe9991022470311c8ad197615c465cd06a2992990ad63b14aebb

AgentTesla

8ed339f943c618ed7d55ff92dcad7ee68dcc02753691838fdecb06db6a8e1202

AgentTesla

a42369bfdb64463a53b3e9610bf6775cd44bf3be38225099ad76e382a76ba3e5

AgentTesla

ba570d5e847509c2b56f4bd5dfb21115e1e9516481c2a89859c2f682786a0eae

AgentTesla

c69453b690e346e111684ff026a0252fb7eaef9ba195bb30a207dfed0fed38e1

AgentTesla

f8aebcc9afaa71ce6097fb2b9dc2f412c1c98b358fce687f98f3e379216c8fe7

AgentTesla

+ 10'846 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 1e1c4f8a31673279a1df1460443acaac8371e79e8393f0238fa1e23bed6667cc

AgentTesla

exe a6cf05f1629ac05fd96e9a535de21a9112c854de8e39f3cd407143759e656b71

(this sample)

Dropped by

MD5 57884eb88844f46f6f89056c97af8f43

Dropped by

SHA256 1e1c4f8a31673279a1df1460443acaac8371e79e8393f0238fa1e23bed6667cc

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample