MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce0257b16f4bfe10b1e98e9f7c332ec4fd4766a093c5462a32394282c6a5120e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	ce0257b16f4bfe10b1e98e9f7c332ec4fd4766a093c5462a32394282c6a5120e
SHA3-384 hash:	884fe39b4534af01b1ce3e002bc1ed24db75c550c6d6f8e8fef84117b987ce73b27c62ff490d796495bdbc61c29ea76c
SHA1 hash:	70d25026bf261e2b17e2ec656ccbb4cf8fd25785
MD5 hash:	cceeb992e0c72fe93fa4b8e263e5abdd
humanhash:	timing-vermont-fish-purple
File name:	Scan Copy_7282020_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	730'112 bytes
First seen:	2020-07-28 12:34:59 UTC
Last seen:	2020-07-29 08:04:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	20e6d5abed83baa72fa27d4f775f9f3c (7 x AgentTesla, 5 x MassLogger, 1 x QuasarRAT)
ssdeep	12288:1H8TTCvLmK25X5CK7jQMuG6sh8ktgNYoVNXSrsXLvwtu67r0M28rrr:dcojK7LuBl6gNYoVVFvgu6j7vr
Threatray	11'512 similar samples on MalwareBazaar
TLSH	7DF4AF66F2E04933D1671A3C9F1B57689839BE103E285B466FE41C4C7F39393346A2A7
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33639/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/400301

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ce0257b16f4bfe10b1e98e9f7c332ec4fd4766a093c5462a32394282c6a5120e/

Threat name:

Win32.Trojan.DataStealer

Status:

Malicious

First seen:

2020-07-28 12:36:08 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zybfpmlpjp7bbmpjr2pxymzoyt6uozvaspcumkrshfbifrvfciha._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

3c3c2afe57269ba1438595d34dfd3db570514bcf7b404a3ae8a38f8481729da3

AgentTesla

4c270fa1b5faf1dbc5d58130a28ba6dec7f1d6f7fef4f0cbe72fb795dc3cf734

AgentTesla

643e8c298a11b6a8391b4de2a9fa7639ed51ecd9a3977a1f8dd5299352abe11d

AgentTesla

787836c865af23aa7fc7ca8a6ece3c79565ff939a8e06b78b783f15f3cd43416

AgentTesla

7f3f318f71fc63976a8714f64e85ba5db4854e651182b6ddf14a32cf4180d264

AgentTesla

87aca4fc3253cd41db9b0ec35fd55868bcd30b5962a2c0da2004bf852a5d60a2

AgentTesla

945ececcb2fd0b7d3a4fd86464737752ba8c1cf215159868595bd9d167a337a2

AgentTesla

ab1f5f34311f23e2dfcd1e2c32b72d29689620974d51e7791982358aaecfc7a2

AgentTesla

c3418a3272d2f9a7b3121655ac783ce213a3d4557def273d3d3ae170ace88974

AgentTesla

+ 11'502 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200728-7h1rr4dbqx/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce0257b16f4bfe10b1e98e9f7c332ec4fd4766a093c5462a32394282c6a5120e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar