MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
SHA3-384 hash: f838a04c8b3ed96607a216056bd606dd55ce5218a7ea072081f31041d6c9f437f8d1a0410876a3c76e9e480eca6ddc3b
SHA1 hash: dc40cbe769c99daf9c2eded1b6cab9122461093f
MD5 hash: 0e84fda82aeda6c8f99f3e55e91d20d2
humanhash: michigan-alanine-carpet-whiskey
File name:NOTICE OF CLOSING YOUR FACILITY AND DISINFECTING THE AREA- BY NCDC WH 20982 COV-19 1420.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'092'608 bytes
First seen:2020-04-02 04:15:24 UTC
Last seen:2020-04-02 04:45:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 94848a54c0e312a4c710f5725faa3dd1 (1 x AgentTesla)
ssdeep 24576:iqR0EBfk0pJ2uEiRRAqd0KJ9VGNeMwmNRuvs2SLkS:lBMysORRAk0c/GNexOIvs9LF
Threatray 10'595 similar samples on MalwareBazaar
TLSH B735B00DEEE5CC69DC9A37BA08B189B181261E1035518B5732E57B3681FB3A2712FF4D
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: mail18.mithiskyconnect.com
Sending IP: 13.127.234.58
From: HSE Department <HSE@xxx>
Subject: Fwd : NOTICE OF CLOSING YOUR FACILITY AND DISINFECT NG THE AREA- BY NCDC WH 20982 COV-19 Due To Recent Corona Virus COVID-19 Pandemic
Attachment: NOTICE OF CLOSING YOUR FACILITY AND DISINFECTING THE AREA- BY NCDC WH 20982 COV-19 1420.IMG

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46210.4618.31476.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 04:35:50 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ewhgq6tmq54amodkp3yttz2fdk2cuvbb5merox3flmz6ssj7gpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
4308234f18880f2b6ba5023f8870147f5c7888ff1ebf418930b18854aac069b4
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
66a2878b55d41d3e576ec08bb0e28573de3af9dbbbd08567cc730198a490d021
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
AgentTesla
9078f24603c107de0a603985cdc97c1dbf9af3cf4571c78a030c41e825ddd7d8
AgentTesla
a8c64168f72d3a7af27ae6dfff00da04467744c5bcc04f9292761359e5507cbf
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
+ 10'585 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 02f264d82b290f0f2edc3db16eb32933147b4cd2bea60ecdabd7938060d1ca23

AgentTesla

Executable exe d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e

(this sample)

  
Dropped by
MD5 8165f047288c64e0c469486e442bb290
  
Dropped by
SHA256 02f264d82b290f0f2edc3db16eb32933147b4cd2bea60ecdabd7938060d1ca23
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::InitializeSecurityDescriptor
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::AssignProcessToJobObject
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpReceiveResponse
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowW

Comments