MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c1a8c39ce7658e5e8a3ab916d86a24d99f1c804b20ea93e5a2e3c50c87cd0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	e1c1a8c39ce7658e5e8a3ab916d86a24d99f1c804b20ea93e5a2e3c50c87cd0e
SHA3-384 hash:	5e2454f5edad754a1ff66f9986b2ec9e59aa587cbfd9487d217c25903f33bf29b79285f6b7fd2e6afdadc953c244dd7f
SHA1 hash:	0a243a2ab1a8f0f01f77a92f623c890a6c364543
MD5 hash:	30bea37fb6b12ea4c2226f95408b4f5e
humanhash:	tennessee-sweet-six-cold
File name:	DHL COURIER PICKUP CONFIRMATION.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	687'104 bytes
First seen:	2020-04-06 08:26:21 UTC
Last seen:	2020-04-06 09:44:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:9EGPYMScPFtEGvaxV7fpQRkgZvyf3QbCZJ18yYBfML1F61DcR:eGPdn7ajYkxf3QGh8yAk5kVcR
Threatray	11'089 similar samples on MalwareBazaar
TLSH	41E4F13129D2845CE83A077248BAEEC0BA7676477A668F2D748B130C9F0291F7F6755C
Reporter	abuse_ch
Tags:	AgentTesla COVID-19 exe

abuse_ch

COVID-19 themed malspam distributing AgentTesla:

HELO: gains.assureonlinesolutions.com
Sending IP: 108.170.63.170
From: DHL Global Mail Inc © <jessa.lagangan@dhl.com>
Subject: DHL Delivery Shipment COVID-19 Be Safe and Stay Strong.
Attachment: DHL COURIER PICKUP CONFIRMATION.pdf.ace (contains "DHL COURIER PICKUP CONFIRMATION.pdf.exe")

AgentTesla SMTP exfil server:
smtp.salasarlamlnates.com:587 (208.91.199.224)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Artemis30BEA37FB6B1.7701.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-06 00:54:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ha2rq4445sy4xukhk4rnwdketmz6heajmqove7fulr4kdehzuha._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4836a622dd769623b0d890d6d785984db04adc0cf735fb316dba6ab7c56bad33

AgentTesla

57df36fc7452bb8ef66e18f5ca34deace335039f1ffe1119c975b547a788377e

AgentTesla

5a2965c63c2c74a0e8d06008ead3a82354dfd319468074823d5224a63e1a5c52

AgentTesla

8693d6aaa3f5cb0e2c6e725eaa9d6abf1bcf8f8390625767312b5af32e204118

AgentTesla

a6aba7b7f6eeeb871e7c58959307a260e3f20b54b7d4a174c9bc03ce4eb94a94

AgentTesla

bd03cebf0f02bc3313ccbe3de2948e4981d52c983d2215c637dda38ab89863e4

AgentTesla

c04c4bb521cb18dc16fbacc4220c0f854bfadfdc0c016ec6fd868d52fe8c3e08

AgentTesla

dbbaf0499e544e3832699110f71f62a521ec93cc8a74656c92af7023f554d897

AgentTesla

eecae1c4f0341afd1a089da83da76e7a1e31f3f2243269722c9d0c9457c2ef85

AgentTesla

+ 11'079 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

ace 5ea484788613d019ffa793a4afda9e4564d4b27307746f26b6dfee3432317ff4

AgentTesla

exe e1c1a8c39ce7658e5e8a3ab916d86a24d99f1c804b20ea93e5a2e3c50c87cd0e

(this sample)

Dropped by

MD5 4bb838ba93e136fd919407e39da7d7a7

Dropped by

SHA256 5ea484788613d019ffa793a4afda9e4564d4b27307746f26b6dfee3432317ff4

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample