MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc45113b5ca48cd246e8b3f5a1f57a43ec38d5959e430998ee83563a6ff6a77f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 3 File information Yara 3 Comments

SHA256 hash: bc45113b5ca48cd246e8b3f5a1f57a43ec38d5959e430998ee83563a6ff6a77f
SHA3-384 hash: 7e837477107bcca9ca6f2fb86bfc11a01d3f89110d1a4c291df4811eb908ede84eb73c771153c9ed1bbaa43af635bc32
SHA1 hash: 6af76fcc364763971386e9dfaf13088a56005ead
MD5 hash: 64f5e025327c7554635c127d51c69159
humanhash: lake-maryland-table-equal
File name:Quote_213417_from_Greenco_Manufact_C0_352.pdf.exe
Download: download sample
Signature AgentTesla
File size:530'432 bytes
First seen:2020-05-23 07:26:58 UTC
Last seen:2020-05-23 08:36:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:RS+T1qTwovJOeKFanO82VAwrerpjatTnU0LyuI1/DapCFO0mPwp6BIFvvGAbKsV9:YZlB2VAQerItTnKumepzPwpa4v/bpH
TLSH C7B4CF1A138C556AE99CC6BBD0D23A0406F4E46D249BEB9AEC71A4FE4B1F373C58510F
Reporter @abuse_ch
Tags:AgentTesla Chase exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: secure.com
Sending IP: 50.77.119.9
From: Chase Bank<info29381@secure.com>
Subject: Verify your Chase Account
Attachment: Quote_213417_from_Greenco_Manufact_C0_352.pdf.img (contains "Quote_213417_from_Greenco_Manufact_C0_352.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
35
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-05-23 08:00:00 UTC
AV detection:
20 of 30 (66.67%)
Threat level
  2/5

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe bc45113b5ca48cd246e8b3f5a1f57a43ec38d5959e430998ee83563a6ff6a77f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments