MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf54056eda237aa8972826e73687985609e3713c461c40c3c47ca231d7266783. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf54056eda237aa8972826e73687985609e3713c461c40c3c47ca231d7266783
SHA3-384 hash: d4e533f005a658fe79d797064b2348adad0a1244bc3edcaa09136cf015869b93f84c32131f099c592e5b88001804f881
SHA1 hash: 81aeac6b58c181d01f794933b88f0611ed48944f
MD5 hash: 5eeffd13a696cde7958e39ff9a472c40
humanhash: papa-alabama-low-emma
File name:DHL_April 2020 at 1.90_9B9290_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:390'144 bytes
First seen:2020-04-30 10:16:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:V8u6MsjsBbso3VYUrUU0HiMsoAuJ0XmQWOdemoYKLKb2Qst4zlgnCYBUu2k:ezMTbBVYUrUU0HiMfHimQWOdVoRPQaCY
Threatray 10'647 similar samples on MalwareBazaar
TLSH 88848D765DF92137E064DAF1CFC6D4A3BA58D4BB2029687224ABBB15C36394329C313D
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: racinformatica.infortelecomhosting.com
Sending IP: 84.246.211.247
From: DHL Customer Support <noreply@dhl.com>
Subject: Re: DHL Notification / DHL_AWB_1179303/ ETD
Attachment: DHL_April 2020 at 1.90_9B9290_PDF.img (contains "DHL_April 2020 at 1.90_9B9290_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Quasar
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 03:25:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5kak3w2en5krfzie3ttnb4ykye6g4j4iyoebq6epsrddvzgm6bq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
000512435d0d55901f55882d7be3c3d27e675e73d944fb8e09d3b73e0abccbc3
AgentTesla
0874efe680cfb9ab53997e6f4b5e1159d1d4d51f485a6845fc90cd03d10ca29f
AgentTesla
18ee411e31ac1f4e3bcd2d811b147853bf2977645c631809acc75b7639e7292c
AgentTesla
4a8a8d8faabf6613961d6317ab29f33a81a47fbce80e288970fe96e1f67246a6
AgentTesla
6963991b3f7b0d0870130058d1494481d64003e95bbb5fabfb024de68582c02e
AgentTesla
6afb227c640c59b8f64fc5a16adf0a25e946cf47198992bc44044976a8c3bcf3
AgentTesla
98629c6d70b7985e3671dc4a824e2f4662dbcd85a787f5d0d546688922f41ffd
AgentTesla
ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec
AgentTesla
d8e66bab8039e591aff2e2b55d77eda4fd3ac53c77d3c9c1f259db30e9f0008c
AgentTesla
fa3ce577f3f1fff59835222b4a67d32900b0e49fb5d7f8bd0874dfc75092a2e4
AgentTesla
+ 10'637 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img e8e76b3c9970901adeed83c924ecb5a25c8dfba0aa063f4c462d13dd251e8a0d

AgentTesla

Executable exe bf54056eda237aa8972826e73687985609e3713c461c40c3c47ca231d7266783

(this sample)

  
Dropped by
MD5 49b2851ade3a0fc549ff35e817b48e07
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e8e76b3c9970901adeed83c924ecb5a25c8dfba0aa063f4c462d13dd251e8a0d

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments