MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c995a85f1bb154c622993d40c068aac98ea09209fae2cf2a22613886b1af80c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c995a85f1bb154c622993d40c068aac98ea09209fae2cf2a22613886b1af80c9
SHA3-384 hash: f72101812235472aafe91960d03729d8033b0a28086170e47bcdf0f5dd93b53ac293a5df53454c874637cb17bdd6c3e4
SHA1 hash: 4f7c9bc4f84ffdcfdd640868ce392a8b85b8264f
MD5 hash: e00caff9d75c3991bba05b152043a0d8
humanhash: moon-august-fix-oxygen
File name:Hkempqc6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'121'280 bytes
First seen:2020-11-07 10:24:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:nns7fR8d7WCCnGD/3kEsytOzdRTpwIJnA1BClODYjJTXv+cU6IVk/I1PuTXRLP/i:0
Threatray 185 similar samples on MalwareBazaar
TLSH 0735393B1A805832F377C17981FA6D97BF1D6666B003BECC8192675119D3BE2ED8902D
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: competent-lamport.104-215-113-137.plesk.page
Sending IP: 104.215.113.137
From: Tina zhang <user687@gtoolswebmail.ga>
Reply-To: christinely123@outlook.com
Subject: Quotation Request
Attachment: Hkempqc6.zip (contains "Hkempqc6.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisE00CAFF9D75C.9194.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/523802
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c995a85f1bb154c622993d40c068aac98ea09209fae2cf2a22613886b1af80c9/
Threat name:
ByteCode-MSIL.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 19:29:21 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgk2qxy3wfkmmiuzhvama2fkzghkbeqj7lrm6krcme4inmnpqdeq._file
Verdict:
unknown
Similar samples:
1d41e76da681ad17d46ff9a1fb6f59afb00a8e96df9f2adf42634f05849e6fd2
AgentTesla
1f63aff33db6b9a2920969f2f8d4ccb92f745596881cfa3fc9f651162aa43e88
AgentTesla
3324b658bb54b1934613b8fdecb2f12f7aabb815a4ca42b48dc7bdf4837026c9
AgentTesla
334ab59399997e54878083e726a2dbc5d41f844025742b4ea35921a93bf24d68
AgentTesla
b22d33b348ba648c5f39061bb4e743ed6a52dd57720de34902c093a2f2ac97ab
AgentTesla
b524b8d67e16781462e06815013dc190be41690c8a3cfcbbb6cff09bebb7c07f
AgentTesla
c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004
AgentTesla
c5216e025f487ad72623e702871432afa40739fc1d2b24fca4bcbd7f009d0064
AgentTesla
d6b834570825a606942ff096f5ad3df33f58082be5a68bab447bc9af4b114e95
AgentTesla
f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec
AgentTesla
+ 175 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201107-b313hh55ax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
422bb33b3cb696a510149fa388a45274152423a7d75c0d1e5ad95e35c7305f30
MD5 hash:
da6bafc6b5aa6728b9b75d591c6eb2b3
SHA1 hash:
7d7f790c0ee4c988dce9202123ebf8287d9cf161
Link:
https://www.unpac.me/results/fe810cca-d3c0-4370-97d1-b5f36eaf59c8/
SH256 hash:
313bd2f6455bd64b81bfce459d0bc37e40e2786a1af2f41b1d7a2e4853e57a71
MD5 hash:
252b26f86a7535e238a0453608e2fc5e
SHA1 hash:
f680e72f4c33cae0fa5ea9e742797fa04d7ed00d
Link:
https://www.unpac.me/results/fe810cca-d3c0-4370-97d1-b5f36eaf59c8/
SH256 hash:
c995a85f1bb154c622993d40c068aac98ea09209fae2cf2a22613886b1af80c9
MD5 hash:
e00caff9d75c3991bba05b152043a0d8
SHA1 hash:
4f7c9bc4f84ffdcfdd640868ce392a8b85b8264f
Link:
https://www.unpac.me/results/fe810cca-d3c0-4370-97d1-b5f36eaf59c8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8b0bc73b32e3f398f437656c1b2178cf660d20e377e98d56b2a3a754d2ad0799

AgentTesla

Executable exe c995a85f1bb154c622993d40c068aac98ea09209fae2cf2a22613886b1af80c9

(this sample)

  
Dropped by
MD5 acfd56ace0d13410706691bc92a06381
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8b0bc73b32e3f398f437656c1b2178cf660d20e377e98d56b2a3a754d2ad0799

Comments