MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce79965e4d06eb68644640f4a9396de4cb4e3299d0702e494c045fc07ae03931. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce79965e4d06eb68644640f4a9396de4cb4e3299d0702e494c045fc07ae03931
SHA3-384 hash: 96019f6505cb9df461e720344df98c13f85f92f89d81cca330c4eada5b66d7ec1dee4ce92e4caffa432462c8e3009ec0
SHA1 hash: 5a03f8ee27894f970519cadc6a1e45c6fd806277
MD5 hash: 5bf0cd66958a09eef54460d0e690acfe
humanhash: quiet-mobile-utah-finch
File name:Outward remmitance.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'762'816 bytes
First seen:2020-05-13 12:02:16 UTC
Last seen:2020-05-13 12:51:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:/iIAJnFzTDgUqfrAPBbGcEh6L2JxyEhgDvWZ5:/9Czf6PcuxyEm0
Threatray 446 similar samples on MalwareBazaar
TLSH 718512BC3418B9EEDC5BC8769A982D28A6A03577530BE253941741DDAB0DAC7CF184F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hotellanassa.gr
Sending IP: 185.222.58.101
From: Chief finacial officer (CFO) <md@hotellanassa.gr>
Subject: RE: foreign payment
Attachment: Outward remmitance.iso (contains "Outward remmitance.exe")

AgentTesla SMTP exfil server:
smtp.ka0yi.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.5960.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 12:35:45 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zz4zmxsna3vwqzcgid2ksoln4tfu4muz2byc4skmarp4a6xaheyq._file
Verdict:
malicious
Similar samples:
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
AgentTesla
3ecc7f6abd145158004019c01e8f8f7e56c2bc3d9b4625a3fe2e1eee470a7dd8
AgentTesla
5136cc442f7ff2a99cb5c3c64c0419d23a3aba57f7389af3a758615eb8b6d26b
AgentTesla
6033acde8c4bde98b22ad4e45db8bc34123e794019b42750a3430ba97e33c804
AgentTesla
6b946bb613a85c620302f21a45e55e1cf87fa06941df163aafcfbfcecb580276
AgentTesla
8978b5eb14061436a8d2249f9c92ac75d8307c83a09ea7aa3e6572f704b4335f
AgentTesla
a007c974d0e999a91fb8e3c81489642b608dee675c411d99baf42499c64cc1a8
AgentTesla
d08aead15f73a995edb3859145a359316117d4b82d2c5a0f4a5b599eba28d263
AgentTesla
d21f5fcd18544952bb7012782c68b9ab3f89f1d4ee154564eafc32cce59e1ada
AgentTesla
e0cea593cef95fc3438ec707ef6d293c3189c3a3144a389f790cccfaec770759
AgentTesla
+ 436 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger coreentity rezer0 spyware stealer upx
Link:
https://tria.ge/reports/201109-becr5yyema/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
rezer0
CoreEntity .NET Packer
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

6add318f8ad39335a4d677f084d21ba5

AgentTesla

Executable exe ce79965e4d06eb68644640f4a9396de4cb4e3299d0702e494c045fc07ae03931

(this sample)

  
Dropped by
MD5 6add318f8ad39335a4d677f084d21ba5
  
Delivery method
Distributed via e-mail attachment

Comments