MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c69453b690e346e111684ff026a0252fb7eaef9ba195bb30a207dfed0fed38e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c69453b690e346e111684ff026a0252fb7eaef9ba195bb30a207dfed0fed38e1
SHA3-384 hash: 7b808e6fad8a354a04ae18c67db35bf1c26396c82864a50ded3d11b7180819363168c3bee7d871dcd4eda049f2f3f08e
SHA1 hash: bad35ebc1c828612a67e0128cd6400b74685650b
MD5 hash: 43b82e99339ee68c2ee2cfa045683636
humanhash: india-florida-music-paris
File name:Kits de prueba de certificado CF y FDA covid-19.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:528'384 bytes
First seen:2020-04-02 04:05:37 UTC
Last seen:2020-04-02 04:45:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'603 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:liVol10XAyZOV2ODXiDOg58k91Ott5Q9vk:l10XAtVJXiDZ58kPOb5Q6
Threatray 10'508 similar samples on MalwareBazaar
TLSH 0DB4162B24DE56F6DEACB9709E04F63DB068EB227113AD1C6C92B6B5F42055220F353D
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: server.clinicasom.com
Sending IP: 185.76.77.225
From: sales Trading LLC <soporte@clinicasom.com>
Subject: Re: Kits de prueba de certificado CF y FDA covid-19
Attachment: Kits de prueba de certificado CF y FDA covid-19.img (contains "Kits de prueba de certificado CF y FDA covid-19.exe")

AgentTesla SMTP exfil server:
smtp.ge-lndustry.com:587 (208.91.199.224)

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.32077.26608.22807.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 11:40:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2kfhnuq4ndocelij7ycnibff636v343ugk3wmfca7p62d7nhdqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0068cd1c85fc05f425fc6213b8317b2827528285d1a73b7df6135123161448ee
AgentTesla
11faf0c766ae2157ada71192b7d6e19d2c375402f675e7c182ab09661605c9fa
AgentTesla
1209aa815dfe8b00312a574dbd65fff52b4ea96abd1657572ac76a1e0e788f95
AgentTesla
5f6c30a76853567061fe2a4f08a9c4bfb88116429950c0b4fa1d83bd54c4e88d
AgentTesla
628fb13f63d68b25083522f21c084fc565fd8fe57e05b95b35b76ac01fdbf5ff
AgentTesla
89f5773de397e09275d7d02812ec937343e878030232964061bb6aafdea5ccde
AgentTesla
94197cbe77813adffc9af54831e26ce605beea544391727c0f71412d1e50235b
AgentTesla
a6cf05f1629ac05fd96e9a535de21a9112c854de8e39f3cd407143759e656b71
AgentTesla
b3cb81035e7e265ca264a7f84181546f524a4d9677f92b75d2959c21a6cfda98
AgentTesla
e9c66deea17bd72dd008c96d6ef671faa5ee2319f541100557093cff0bdc0dc7
AgentTesla
+ 10'498 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 790e0abfee9aead81cf40f9037682949fd1f0b29ffbff6b38a81b4cea95b9d50

AgentTesla

Executable exe c69453b690e346e111684ff026a0252fb7eaef9ba195bb30a207dfed0fed38e1

(this sample)

  
Dropped by
MD5 d0ba6429be5805b931648e0326463b76
  
Dropped by
SHA256 790e0abfee9aead81cf40f9037682949fd1f0b29ffbff6b38a81b4cea95b9d50
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments