MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acbcb4df85d5f9b834b53599b13447cac78dcae89cbf9ae396ec7f932ea174cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acbcb4df85d5f9b834b53599b13447cac78dcae89cbf9ae396ec7f932ea174cb
SHA3-384 hash: 1711cbc41cc165bb22cfb9846a68036cb5bf6baa26d140ad8c741b8b8735bbcc30351cf0daf1daa157e36de78c931da4
SHA1 hash: 8cc0b736395a8a8a64dd6041c62dde4cd81e87aa
MD5 hash: 21c6ee752d826af0811cd0ec1ef184ab
humanhash: jig-charlie-delta-oranges
File name:biggy file.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:829'440 bytes
First seen:2020-04-29 18:51:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 556c6a7e5f749bf800bb7913c54276f4 (10 x AgentTesla, 8 x Loki, 4 x RemcosRAT)
ssdeep 24576:8LdfZhpFb6TU2uE19S3ZcT5V3r/Wh22pMl:UVxETSE19S3Z6XWhZul
Threatray 11'208 similar samples on MalwareBazaar
TLSH 6705B066F2D04837C1732A3C9D5B5764A83A7E103E39A8466BF82D4C5F38791763A2D3
Reporter abuse_ch
Tags:AgentTesla COVID-19 DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outsmtp01.sadecehosting.com
Sending IP: 77.92.152.36
From: DHL Express China <China@dhl-news.com>
Subject: Covid-19 update from DHL Express
Attachment: Covid-19 update.zip (contains "biggy file.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-29 04:39:13 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vs6ljx4f2x43qnfvgwm3cnchzldy3sxits7zvy4w5r7zglvbotfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
48712d577e05014edb911b241b47d008fff6907920e41146f7c9a66a1f8ff52a
AgentTesla
4e572772b1f4f02a1cf0194b2d560638e1898f467827beb525dce28278baacc9
AgentTesla
63639cd2d113b84b973583108166093a5d5313719cd2b8945b17738ae52a6291
AgentTesla
66e548774f497cb4dba29b195df59b74b351365eaa777f1516a1baa02805ab22
AgentTesla
71079b6770db403249ebaef088f4e3929d357ac797a470f64fd240e50a995a4c
AgentTesla
76e663fac059a1659275bf54e20ee9ee4667fdbd0c7a7a7c40b4fa472ce4e186
AgentTesla
9160a75fe7bd27c3cb8141039d4c7383162b199454dfa285dd7d11f9fcfe52b1
AgentTesla
a574b201fa1b1b05d857cff48993efd19a3f700c55d6a7ea8ea9a1da30becb62
AgentTesla
a63dfd81e0eb6283bc0051a3c1f80ba0eb818d132aafe5e6a1cc3cd63a3433ff
AgentTesla
be97c3f71385314e1d4da565788beba4633afd5d41c1a58eb3600b420becc747
AgentTesla
+ 11'198 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip b8b5ff14477ccb87cf94d440539cd50fc061f1992ee32357f209ee70465103b0

AgentTesla

Executable exe acbcb4df85d5f9b834b53599b13447cac78dcae89cbf9ae396ec7f932ea174cb

(this sample)

  
Dropped by
MD5 2d70e771ae35efb03b75a0532544789e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b8b5ff14477ccb87cf94d440539cd50fc061f1992ee32357f209ee70465103b0

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments