MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce132a11e36407341db1d51019d28597718f90e203ff091f2e03d72d8c6f771f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ce132a11e36407341db1d51019d28597718f90e203ff091f2e03d72d8c6f771f
SHA3-384 hash:	5b1746fabc93fc3a054adca54fe741ea65ade5bac2405b554b2f1c36fd2509880dfe641a6025fcbc734287539c370dab
SHA1 hash:	34c936bf48068087d9f0adf8172ccd5d14bbfb97
MD5 hash:	67030893b630bf84b45ea528aa14261e
humanhash:	gee-pizza-iowa-helium
File name:	Quotation Request G465.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	463'360 bytes
First seen:	2020-05-20 08:33:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:nfyuh7aF3s9pqsdS4XGV5v6CvSD0J3YM2DHCeJrW:nfn7a50dS4X85v76D0J3d2DjW
Threatray	846 similar samples on MalwareBazaar
TLSH	EFA4E0117268690BF9ED90F948D2E08407B566B71387F7C95CD6B4CB32D2FE28A225C7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mixtec.com
Sending IP: 209.58.149.65
From: Vinay Menon<vinaymenon@mixtec.com>
Subject: Re: Quotation Request
Attachment: Quotation Request G465.kLG.pdf.rar (contains "Quotation Request G465.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

85

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-20 08:36:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

3

AV detection:

24 of 30 (80.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zyjsuepdmqdtihnr2uibtuufs5yy7ehcap7qshzoapls3ddpo4pq._file

Verdict:

unknown

Similar samples:

00b85c15e241bfcd6a5a9d64029e117876da5029b60b8f4828f859277dafc6f2

41c7d6bad3849fb7c5365745b2be8678e3e8ad63d5b4e8329b1b3206c5d1adf6

5421a06f84e1731435298ca1c0569059d4d6ab81463ef7f0e5515ebf60bb520e

6b190569425a9948a6a74bb7acfa11b02f32688ab673e39ac48a44d3d258a825

7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09

a59e7a658d6a43b5e70257422319acaadb0705b28e4879ebebaa346948df9898

d8450acc64ddba18cda3926697f2953a4bc632607bb975a31c8dbeaa882765d0

e390ee24fef5920157d9c28af8d232cd542f30b193481fef6fffb007631f374b

f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21

ffb4e1b5e6ac64c969e3f90351eb0d401146f266b6678dfbff611faaf15a311f

+ 836 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla coreentity keylogger rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-2zql22clve/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

CoreEntity .NET Packer

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 7ea8cc004b1211395e857faa53fc057ad706520fb7b14425f965fa27e0be8da6

exe ce132a11e36407341db1d51019d28597718f90e203ff091f2e03d72d8c6f771f

(this sample)

Dropped by

MD5 b9487dc06315f300b5a4479710c75ca9

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 7ea8cc004b1211395e857faa53fc057ad706520fb7b14425f965fa27e0be8da6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample