MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8a4bb98cbc68663e4a07d58c393c00797365a2f3305d039809554a72e2bd01e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8a4bb98cbc68663e4a07d58c393c00797365a2f3305d039809554a72e2bd01e
SHA3-384 hash: fd10cd460779e3ec7e97e0466e844051f43a7bc4fbfaa17df3d9b0179e77557a683aeeb87326411886d13f48d98aba74
SHA1 hash: 864616830e502ed7c401f39d98ee634d17523039
MD5 hash: c957a5f737c9d386b24b368b43ef8a5e
humanhash: oregon-winner-asparagus-crazy
File name:vaccine release for Corona-virus(COVID-19)_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:102'400 bytes
First seen:2020-04-03 17:22:47 UTC
Last seen:2020-04-03 18:01:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e184e61f4bf80019db90cd92d165430 (1 x AgentTesla)
ssdeep 768:o+RIDPnJeEJvX4Mmg9Ke4pGTbEi+d+5jcmaWpsUH1YBFYK:BeDheEJ/4negGHEi2OjPnH1YB/
Threatray 744 similar samples on MalwareBazaar
TLSH D8A3E666BA10FE50D4081EB2DD3A97EC4134BC71AD016A07BAC83F6F3D71581BA52B67
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe GuLoader


Avatar
abuse_ch
COVID-19 themed malspam distributing GuLoader->AgentTesla:

HELO: server.kto.org.tr
Sending IP: 185.135.222.3
From: Dr. Kim Jung <info@hardworkingincs.pro>
Subject: Latest vaccine release for Corona-virus(COVID-19)
Attachment: vaccine release for Corona-virusCOVID-19_pdf.rar (contains "vaccine release for Corona-virus(COVID-19)_pdf.exe")

GuLoader payload URL (AgentTesla):
https://drive.google.com/uc?export=download&id=1Trzyb2eW-3WLdj4BQQq_kissPU1THWy5

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587 (208.91.198.143)

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-7667482-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-04 01:07:36 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcslxggly2dghzfapvmmhe6aa6ltmwrpgmc5aomasvkkolrl2apa._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
AgentTesla
1bfc107e597a3f4780a8607d7c5f033048cb59c50a5fdbe388c10d839efd8692
AgentTesla
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
AgentTesla
50529809a9b92f2b353e94a27b850f7be76f820c9a413a5968d686026936c133
AgentTesla
547c80b6ac037b0496c7b47ec8e002fb08eaa303de5e14e8f46fa1ee7bb43116
AgentTesla
5fd2782655a0bf022f6219b3d6ba6dbe6f5b759b56dc2dca0a2100bae251ffee
AgentTesla
68250b3b7bd3bf975cc34c76b31ed23634e6b2437c6fc3ae3bb6209c7eaf5402
AgentTesla
7fbd290f28f3ac346e168c3994febcb70f81ddeeb366982226ca76559ad0fdb6
AgentTesla
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
AgentTesla
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
AgentTesla
+ 734 additional samples on MalwareBazaar
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c8a4bb98cbc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4d346fb742a8c538e978a592443f8686c1f502c00f6e06aabe42d117679ab6c6

AgentTesla

Executable exe c8a4bb98cbc68663e4a07d58c393c00797365a2f3305d039809554a72e2bd01e

(this sample)

AgentTesla

Executable exe 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2

  
URLhaus
https://urlhaus.abuse.ch/url/334542/
  
Dropped by
MD5 4913568685c82700275b3e085379a0ea
  
Dropped by
SHA256 4d346fb742a8c538e978a592443f8686c1f502c00f6e06aabe42d117679ab6c6
  
Dropping
MD5 641b595a4f0d6fc67f702417eab2727b
  
Dropping
SHA256 2cf671173d9af2f550adcb58b7c8aa914164d52400363680cf476af85b9bfab2
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::EVENT_SINK_AddRef
MSVBVM60.DLL::__vbaFileOpen
MSVBVM60.DLL::__vbaErrorOverflow

Comments