MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4edb75adeeb77973b20f4e65a287125f2a12d53e9a1ab647d5737234bcfbd70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	e4edb75adeeb77973b20f4e65a287125f2a12d53e9a1ab647d5737234bcfbd70
SHA3-384 hash:	762ea2e98a6ab1eb78459d91ce4c115761b0de00eef76bcf1bdefa509f69f42dc1136112284142311014f16b2d11bdc2
SHA1 hash:	7fb9bef3eb7e0d08e6778ad1c98168d8aa114481
MD5 hash:	97a10e16153cbde02389462546c1003b
humanhash:	delaware-dakota-oxygen-lemon
File name:	New Order #3452_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	595'968 bytes
First seen:	2020-04-29 17:49:56 UTC
Last seen:	2020-04-29 19:05:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:0Y66hNN/ssop69MynYERmTDxYiZ/MGGYDGZJrh4:0Y66Zss46qYRmTDOZs
Threatray	10'545 similar samples on MalwareBazaar
TLSH	CEC47C3C5DB65177DF2DD2F1EFE68432B734911AB35A26B022C681B41F52B9028CB4B9
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: ansamcal.com
Sending IP: 209.58.149.66
From: Purchase/Rolf Mayer <purchasse@ansamcal.com>
Subject: New Order #3452 / 04-28-2020

AgentTesla SMTP exfil server:
mail.nabf.com.au:587 (122.201.97.187)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Troj.HawkEy-HR.13813.5608.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-04-29 01:31:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4tw3oww65n3zooza6ttfukdrexzkclkt5gq2wzd5k43sgs6pxvya._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb

AgentTesla

4ca1b6c3ac6eb51dfef5f5e641280d608abc652e98a37eb353c667c4c1acc40f

AgentTesla

9b04212fb1aeea566fe8268a73e7449addf9fc0c09dbebec6fae9cebae9834c3

AgentTesla

aa218adce0cc32486a75b6e5a2669c8b82afac444485f3d44bb168482276ad4e

AgentTesla

ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317

AgentTesla

b2c9554320dfb016f84d544425222acef4bf674bea6527f027c36bc56f301d80

AgentTesla

dcde17e3cfe69ac2ccabf6e4725490d5b715eba7454d9fa859dde428a11f4649

AgentTesla

e1d165776063f60a18cdd5d21f19c4700f79b1911da4d78c42fd2c885feac0b9

AgentTesla

fbc8a4a7c795fa996462ad57db81b1b8c06e95cd9f6a6c0564c749682cdd6692

AgentTesla

+ 10'535 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 73da0f0ba52b2961753486f2e16d0218eafc5f0bae6c6c87707a414c5649e1fd

AgentTesla

exe e4edb75adeeb77973b20f4e65a287125f2a12d53e9a1ab647d5737234bcfbd70

(this sample)

Dropped by

MD5 cd34e8daad39b2df0bbeea9028394725

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 73da0f0ba52b2961753486f2e16d0218eafc5f0bae6c6c87707a414c5649e1fd

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample