MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c3820448fb9d548a6e581c0fbf4bb3716d2cb945ba790a8fab3fd02ac3ec844b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 4
| SHA256 hash: | c3820448fb9d548a6e581c0fbf4bb3716d2cb945ba790a8fab3fd02ac3ec844b |
|---|---|
| SHA3-384 hash: | 6324be95468ab2735850611469acbdf46884aba4dce4493b4685533e8959616808a53741ae052a1fde4226dcf355d21d |
| SHA1 hash: | 2ba7ebddebd2b48a6bef8bec1eb1d64596077cdd |
| MD5 hash: | 8d99214e831842025f9a3101cde59456 |
| humanhash: | quebec-beer-xray-missouri |
| File name: | PHOTOS_O.EXE |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'474'560 bytes |
| First seen: | 2020-04-21 12:55:20 UTC |
| Last seen: | 2020-04-21 14:06:29 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | db480ea6abb006121408eece2d202152 (1 x AgentTesla) |
| ssdeep | 12288:6Nqd0SEhgDnzhuHaM19VqAjk5so88OnNC+1c3YGpTUkTd3OXCBQ9co6q0lpcPPib:Td6gD83OdgAPTpV |
| Threatray | 11'081 similar samples on MalwareBazaar |
| TLSH | FF658FE2DE1B926AF74B257DBB5C72D0B89CB7011F7F0C1A38CCE51C56679A1088E960 |
| Reporter |  abuse_ch |
| Tags: | AgenTesla AgentTesla COVID-19 exe |
abuse_ch
COVID-19 themed malspam distributing AgentTesla:HELO: mail.trigunamandala.co.id
Sending IP: 103.227.147.230
From: "Shahzad Akbar" <anin@trigunamandala.co.id>
Subject: Photos of our staff with the COVID-19 viral infection
Attachment: Photos of our staff with the COVID-19 viral infection.img (contains "PHOTOS_O.EXE")
Intelligence
File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Dropback
Status:
Malicious
First seen:
2020-04-21 01:14:00 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
24 of 31 (77.42%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 11'071 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::IsValidSecurityDescriptor |
| GDI_PLUS_API | Interfaces with Graphics | gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipAlloc gdiplus.dll::GdipCreateFromHDC |
| MULTIMEDIA_API | Can Play Multimedia | MSVFW32.dll::ICCompressorChoose |
| WIN32_PROCESS_API | Can Create Process and Threads | KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateFileW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::AppendMenuA USER32.dll::PeekMessageA USER32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.