MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac5d5c01ca1db919755e4c303e6d0f094c5c729a830f99f8813b373588dc6c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac5d5c01ca1db919755e4c303e6d0f094c5c729a830f99f8813b373588dc6c27
SHA3-384 hash: 34eb733f7cda22bb45164a8af44fe59cd0b90fdf9762915d253a4667bae477fda5dfdf138bac0d6c181570c05711047e
SHA1 hash: f2ece557a643502a5581aec4dd73c290f2caf0b1
MD5 hash: df183d9c85fb2e2c30dcf9f828f74d2d
humanhash: tennessee-alanine-beryllium-oregon
File name:CLOSE DOWN ORDER FROM CDC DATED 4.1.2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'632'768 bytes
First seen:2020-04-07 07:02:45 UTC
Last seen:2020-04-07 07:42:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60a7513cb930ce941dd9ccd67428c4e1 (1 x AgentTesla)
ssdeep 24576:P93JCvyd4xE6YY/opp7WtWwrdofIZZSkKJm+gDRnTTlxe+:/zdWn++pofIZsgDBTX1
Threatray 219 similar samples on MalwareBazaar
TLSH 6975D02FF65892E3ED1610310AC6CFF9A63A7866332183DBB545AB1544ECFD0397934A
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: 162-241-214-72.unifiedlayer.com
Sending IP: 162.241.214.72
From: HR Department <HR@victim-domain>
Subject: (UPDATE COVID-19) CLOSE DOWN ORDER FROM CDC DATED 4.1.2020
Attachment: CLOSE DOWN ORDER FROM CDC DATED 4.1.2020.img (contains "CLOSE DOWN ORDER FROM CDC DATED 4.1.2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46469.23652.11567.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 07:13:11 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrovyaokdw4rs5k6jqyd43ipbfgfy4u2qmhzt6ebhm3tlcg4nqtq._file
Verdict:
unknown
Similar samples:
07765c94cebc0dc12ae2d3f0cf0e12926bf1bed5ec4c760f1dda2e126db58630
AgentTesla
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
50f42960eb882be0f35a1f4d15edb0ab6e8aea2211dbae7c358288f2b7846fba
AgentTesla
7867241670b0fd664072e1bf555bc56b8291a80e01adeebcffcc768a0e88c117
AgentTesla
7a53181aa1e3f435bf2036ddff15a7e8e3382bfceade53abd9f3a6e14ed2cf5b
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
93fb5df147c1af971f4f601145b7eac3efc2699f9a6a57b0f879271ce9d3c28a
AgentTesla
9b71ca5e5e3faf0bd77b6f6d370d5aa32dffd3e2019b15624a544487895f82f5
AgentTesla
c3820448fb9d548a6e581c0fbf4bb3716d2cb945ba790a8fab3fd02ac3ec844b
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
+ 209 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 1028b91b0b9791595912239fec264878577e91461388c1cf75b7a32b9cd8dd12

AgentTesla

Executable exe ac5d5c01ca1db919755e4c303e6d0f094c5c729a830f99f8813b373588dc6c27

(this sample)

  
Dropped by
MD5 03995b03cc208118f5713b110c8043bf
  
Dropped by
SHA256 1028b91b0b9791595912239fec264878577e91461388c1cf75b7a32b9cd8dd12
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaAVIFIL32.dll::AVIMakeCompressedStream
AVICAP32.dll::capGetDriverDescriptionA
WINMM.dll::joyGetPosEx
WINMM.dll::timeBeginPeriod
WINMM.dll::timeEndPeriod
WINMM.dll::timeGetTime
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcBindingInqOption
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileMappingA
SHLWAPI.dll::PathRemoveFileSpecW
KERNEL32.dll::GetWindowsDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments