MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67163c34b396f7fc4a1dec14c1a0e598d5ac5786e6c26f11c8b8b16b31b70f4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	67163c34b396f7fc4a1dec14c1a0e598d5ac5786e6c26f11c8b8b16b31b70f4c
SHA3-384 hash:	47ddf2e306f624026687ea5a200c33312df1a7afeac2de7724670f8fa5d59018ca6f3dac3b117b42de51793af1bac4d0
SHA1 hash:	6953afddd00c760525ea91c376b1d5205164841f
MD5 hash:	eaa3035b2314bfba3c2a110d8a43b5be
humanhash:	grey-princess-west-kansas
File name:	Ton-Keep purchase order_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	472'064 bytes
First seen:	2020-08-18 11:14:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:3bG0hyYHig80QcnhFJUHf/FId/eH7HpCec:LG0Iarkf9rbJS
Threatray	1'038 similar samples on MalwareBazaar
TLSH	5CA4E03233989B15D27B4337CCA9604503FAB8077551DF6EBDDC235C5A12BA38B226DA
Reporter	abuse_ch
Tags:	AgentTesla exe SendGrid

abuse_ch

Malspam distributing AgentTesla:

HELO: o3.hv1le.shared.sendgrid.net
Sending IP: 50.31.63.183
From: Joyce Chen <leekk91@impt.kr>
Reply-To: leekk91@impt.kr
Subject: Ton-Keep purchase order 2020
Attachment: Ton-Keep purchase order_pdf.7z (contains "Ton-Keep purchase order_pdf.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

61

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47725/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67163c34b396f7fc4a1dec14c1a0e598d5ac5786e6c26f11c8b8b16b31b70f4c/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-17 23:02:25 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4ldynfts337ysq55qkmdihftdk2yv4g43bg6eoixcywwmnxb5ga._file

Verdict:

malicious

Label(s):

remcos

Similar samples:

3ad93466a6cf17944a21b708648e557f7b5ed91866932bbc0bbef14ca9805a70

485c1301f4bc84bc2d274f53222cf7ca5fbd8af8728d1aaa977a6574f577fb87

7720da8dd623a00812870efdb75c2f2571417599ebfabcff48d2bd95cd029ea2

83eb442b175e4fe5a2fde6e8d72618eee280398f89a81da1f9c118d2c46032d4

9930543939f97818319ed031530d9e084994331aa4b06a304faeb321bbcc63db

a1c561c21720c4f1c3626276db6afc2c12b1aae9304c78518763eb78454f84b8

c86bcfe4e22cb50054b44e38fc4fb79624c4ed5bf9a26174754dbb5c1a6baff8

cb6affdde93718be644073a946c21fee8a7c8e1312a6009c6ee76ded4a5d6eb6

d18a9ab5894eef77fd871647912b9a4aa51e4124568055c8aca3537fd150b7e3

eb1230ab4a5408a3d264bb51f1ff311fcf52aa97d52b801738cd5add365e77d2

+ 1'028 additional samples on MalwareBazaar

Result

Malware family:

remcos

Score:

10/10

Tags:

rat family:remcos evasion

Link:

https://tria.ge/reports/200818-p6q59nky72/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Remcos

Malware Config

C2 Extraction:

194.5.97.70:2404

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z dfc7f8d0f59dc66f78fffea0b999a2a662057edbc39a836de95884147464f643

exe 67163c34b396f7fc4a1dec14c1a0e598d5ac5786e6c26f11c8b8b16b31b70f4c

(this sample)

Dropped by

MD5 95d29a0667bf76a05457b0a26c6ea041

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 dfc7f8d0f59dc66f78fffea0b999a2a662057edbc39a836de95884147464f643

Cape

Cape

https://www.capesandbox.com/analysis/47725/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample