MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d30ef27af1f472767f36dd42663483dd6fed770480aa38f04fd63b32121091e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 4
| SHA256 hash: | d30ef27af1f472767f36dd42663483dd6fed770480aa38f04fd63b32121091e9 |
|---|---|
| SHA3-384 hash: | 1b12a49e09e7bc5cc60e0cc8fb3f943cf79d25aea0c512ca91db953b4009460324daa99dd82b8efa944abead7c52c69e |
| SHA1 hash: | 7c07e85c2ca8c1fbac588223735ab3e0d82ffe66 |
| MD5 hash: | 87477ee5fae80962d0cc969f19000db2 |
| humanhash: | glucose-ten-beer-vegan |
| File name: | covid试剂盒采购_____PDF_________________________________________________________________________________56789.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 398'336 bytes |
| First seen: | 2020-04-17 11:05:10 UTC |
| Last seen: | 2020-04-17 11:50:09 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:5Ash+cEV1WmSQeebhkiX4vhMyNCC14lc7MoksNcwmj7iBU+ry:5AM/ELWmSjik5CHl1okW |
| Threatray | 10'851 similar samples on MalwareBazaar |
| TLSH | 9884BDEC396072EFC857C472DEA82CB5EA9534BB831B5117A02705ED9A4C99BCF150F2 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla CHN COVID-19 exe geo |
abuse_ch
COVID-19 themed malspam, apparently hitting CN internet users with AgentTesla:HELO: panel.correosvarios.com
Sending IP: 179.27.96.76
From: Selina <arey@portvan.com>
Subject: covid试剂盒采购
Attachment: covid试剂盒采购_____PDF_________________________________________________________________________________56789.rar
AgentTesla SMTP exfil server:
smtp.epaindemgroup.com:587 (208.91.199.224)
AgentTesla SMTP exfil email address:
investor@epaindemgroup.com
Intelligence
File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-04-17 05:40:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 31 (83.87%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 10'841 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.