MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce91208630c3bcfcad3e0337a447621c544412c227d9dd4a9ff6821962fdae5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce91208630c3bcfcad3e0337a447621c544412c227d9dd4a9ff6821962fdae5e
SHA3-384 hash: 72f2cbe0aea38b311ee9ff7d8f0d30862e5fa5d3cea8430236d2b03340403c75cc953c433a83b81cc5d08033012b9795
SHA1 hash: 85c77590de34aa973e54573a3bf5c859a4ee553e
MD5 hash: f34727d791b0a28bc247f7de2f50cbb3
humanhash: florida-edward-oven-nitrogen
File name:PROFORMA INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:945'664 bytes
First seen:2021-05-06 05:33:49 UTC
Last seen:2021-05-06 07:22:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:iIoNVfMLbFVEloLLoS60/K7yh0ElJLRy3AXW5ezLtzfMG+joousthx9QFPUY/7iS:4fib+oLAEcQm5iLtzmoPUY/W
Threatray 4'525 similar samples on MalwareBazaar
TLSH 641528EC721074EEC617DC22DBDE1C1596202176972BA607932303BD9A0FE57AF385DA
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
4
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151294/
Detection(s):
SecuriteInfo.com.ArtemisF34727D791B0.29137.23563.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713171
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405511 Sample: PROFORMA INVOICE.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 14 other signatures 2->66 7 PROFORMA INVOICE.exe 6 2->7         started        10 kprUEGC.exe 5 2->10         started        13 kprUEGC.exe 4 2->13         started        process3 file4 44 C:\Users\user\AppData\...\LtEnwoFDmRopD.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmpFF7F.tmp, XML 7->46 dropped 48 C:\Users\user\...\PROFORMA INVOICE.exe.log, ASCII 7->48 dropped 15 PROFORMA INVOICE.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 PROFORMA INVOICE.exe 7->22         started        68 Multi AV Scanner detection for dropped file 10->68 70 Detected unpacking (changes PE section rights) 10->70 72 Detected unpacking (overwrites its own PE header) 10->72 74 5 other signatures 10->74 24 schtasks.exe 1 10->24         started        26 kprUEGC.exe 10->26         started        28 schtasks.exe 13->28         started        30 kprUEGC.exe 13->30         started        signatures5 process6 dnsIp7 50 192.168.2.1 unknown unknown 15->50 38 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->38 dropped 40 C:\Windows\System32\drivers\etc\hosts, ASCII 15->40 dropped 42 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 15->42 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->52 54 Tries to steal Mail credentials (via file access) 15->54 56 Tries to harvest and steal browser information (history, passwords, etc) 15->56 58 2 other signatures 15->58 32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        36 conhost.exe 28->36         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ce91208630c3bcfcad3e0337a447621c544412c227d9dd4a9ff6821962fdae5e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 05:02:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2isbbrqyo6pzlj6am32ir3cdrkeiewce7m52su762bbsyx5vzpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0cf2c83a922e75556e9612e1639b50f71697b5e79dccbb050218369e31aab445
AgentTesla
44b5433b69ab50ca347baa5c090d37cf7e348526f00b54fcd561144971f2fe4e
AgentTesla
6d44f8ab6e901e6a53350be7fb31f0f2bf50678440707adf46346c47c39fe91d
AgentTesla
812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b
AgentTesla
aff05449760ff99e902971d68c62bc5b86affd5f1cb40d6c911ae4c691943bec
AgentTesla
b1db9b45aa4903a5d9086d759765f4cb76a23e601c7bfd8133d440cace108307
AgentTesla
ca7beb7680e56c787ab0e04634f813dbeda9ce2ac1469b86ac50ba97a797180b
AgentTesla
da1572b871bcc28eb8469433a7cde5e1a231bf262ea4be9e282201ecf400481a
AgentTesla
dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9
AgentTesla
e5c32739c115f51b0d7bf70fe1c50ca8253ee7ce97ef53d97582417e4bc093cb
AgentTesla
+ 4'515 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210506-kpnqfldkxj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/50297451-101c-44da-8a88-a7cc24426879/
SH256 hash:
1decc1ad4e2b1f7bfee60a84b57e299bd07964c58ada3f700ae53a4b88faf821
MD5 hash:
66e63cbf9d61d24ca7c62377da86b208
SHA1 hash:
ea6e6099d0392a397bd73da2060750062011bb93
Link:
https://www.unpac.me/results/50297451-101c-44da-8a88-a7cc24426879/
SH256 hash:
a0f9cda1d60d55b405653c3f0abcf70a9570eb9fd02c621e511f71a7dce234bb
MD5 hash:
604f12c5b69f8509f6e9b5dea734a2c6
SHA1 hash:
8bf603e3df9a0b894bb87b3aa6961d21a34db0a7
Link:
https://www.unpac.me/results/50297451-101c-44da-8a88-a7cc24426879/
SH256 hash:
ce91208630c3bcfcad3e0337a447621c544412c227d9dd4a9ff6821962fdae5e
MD5 hash:
f34727d791b0a28bc247f7de2f50cbb3
SHA1 hash:
85c77590de34aa973e54573a3bf5c859a4ee553e
Link:
https://www.unpac.me/results/50297451-101c-44da-8a88-a7cc24426879/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce91208630c3bcfcad3e0337a447621c544412c227d9dd4a9ff6821962fdae5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar bb6626743742717768ceedefffbf11e322e680bb1646a30e724fa691cb04d586

AgentTesla

Executable exe ce91208630c3bcfcad3e0337a447621c544412c227d9dd4a9ff6821962fdae5e

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/151294/
  
Dropped by
SHA256 bb6626743742717768ceedefffbf11e322e680bb1646a30e724fa691cb04d586

Comments