MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce6375b775b9a193e76d8ee3b197e9747468a0e6d3440a65ca2fd50bf664a1a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce6375b775b9a193e76d8ee3b197e9747468a0e6d3440a65ca2fd50bf664a1a2
SHA3-384 hash: c12b2785460b45f03db9123f69f92d6c9eff57cd196cebb87ce15a1b0cb044f730f3d2f337e6059e891014df51607a47
SHA1 hash: 4658cb19136c5b04df9cc0fdef48881f7ec68d9f
MD5 hash: 2f3375d84fa423a602abeadb13f129e6
humanhash: monkey-helium-ohio-oxygen
File name:POKVRQ-7436819.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:796'672 bytes
First seen:2020-08-19 07:20:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KLf9hlZSvKF+mhGYcxzrZVaWR0CxKjs4:yFh7vU5FVaWR
Threatray 10'671 similar samples on MalwareBazaar
TLSH 1B05CF547114E18ED85A8D7F9850CCF84F183D6BDE4AF603B983B7DE6B39AA3CA00452
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: olives.ru
Sending IP: 185.222.57.198
From: Alevtina Ivanova <alevtina_ivanova@olives.ru>
Subject: REF FOR PURCHASE ORDER KV/RQ-7436819
Attachment: POKVRQ-7436819.arj (contains "POKVRQ-7436819.exe")

AgentTesla SMTP exfil server:
mail.titanworkinharders.com:587

AgentTesla SMTP exfil email address:
llogg@titanworkinharders.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48257/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.32310.19320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/436976
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 270914 Sample: POKVRQ-7436819.exe Startdate: 19/08/2020 Architecture: WINDOWS Score: 100 28 Yara detected AgentTesla 2->28 30 Yara detected AntiVM_3 2->30 32 Machine Learning detection for sample 2->32 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->34 6 POKVRQ-7436819.exe 3 2->6         started        10 nVTlJn.exe 3 2->10         started        12 nVTlJn.exe 2 2->12         started        process3 file4 22 C:\Users\user\...\POKVRQ-7436819.exe.log, ASCII 6->22 dropped 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->38 40 Injects a PE file into a foreign processes 6->40 14 POKVRQ-7436819.exe 2 5 6->14         started        42 Machine Learning detection for dropped file 10->42 18 nVTlJn.exe 2 10->18         started        20 nVTlJn.exe 2 12->20         started        signatures5 process6 file7 24 C:\Users\user\AppData\Roaming\...\nVTlJn.exe, PE32 14->24 dropped 26 C:\Users\user\...\nVTlJn.exe:Zone.Identifier, ASCII 14->26 dropped 44 Moves itself to temp directory 14->44 46 Tries to steal Mail credentials (via file access) 14->46 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->48 50 Tries to harvest and steal browser information (history, passwords, etc) 20->50 52 Installs a global keyboard hook 20->52 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ce6375b775b9a193e76d8ee3b197e9747468a0e6d3440a65ca2fd50bf664a1a2/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 10:03:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzrxln3vxgqzhz3nr3r3df7jor2grihg2ncauzokf7kqx5teugra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25ef4eb5dbb6b39d8563f3874eaeb97f1637df07278bfbdad0161afceb4164e4
AgentTesla
263573ece93d13d69ed99ea6be5715ca5b15e1877ed09a274ca9cf55f4d16a22
AgentTesla
310cda4734ff6074a97bb0e7cd6c5ebe6aaaec58408650752b73dbae53a5e396
AgentTesla
40d1d555d1d73aa499642f57619f6e749ffc9d3439841628032093af5ae8da6c
AgentTesla
759084fe8aec51cc1cd648c78a6319f862bf78c41aca7f6357bbca5eb7373e93
AgentTesla
7cada1e2ded7a265c041691dc017fa160e9c47a4a1c866a3ae54a3b5f4de0e89
AgentTesla
a35e2cdf735f7548734e3a0647849754ce8b180809438efa67ae280454831443
AgentTesla
c569ea3c10452469dfd9df63bda102f9e8e2175cc00ce1e117c9dd39465722c6
AgentTesla
c93430e7fb2c4ec4e153b846621930889a45cd33bf94ae2d6816d46a4c20ef1e
AgentTesla
f5ee6f7a864b708ffd39b0f243c5fc86969f047beab0e17036c4e80ddd542b73
AgentTesla
+ 10'661 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200819-eyv5lrcdbx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce6375b775b9a193e76d8ee3b197e9747468a0e6d3440a65ca2fd50bf664a1a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj ccacb95e04e5efe4884552f8faa9507a2de32c30e46f196e9717156f68c96961

AgentTesla

Executable exe ce6375b775b9a193e76d8ee3b197e9747468a0e6d3440a65ca2fd50bf664a1a2

(this sample)

  
Dropped by
MD5 922bd1f93351cb3d4037cc7bcee251b9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48257/
  
Dropped by
SHA256 ccacb95e04e5efe4884552f8faa9507a2de32c30e46f196e9717156f68c96961

Comments