MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79bbb6858997f49d3e688ccfc44206f89ab731a1e17b3be82a1c8062e7683913. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79bbb6858997f49d3e688ccfc44206f89ab731a1e17b3be82a1c8062e7683913
SHA3-384 hash: 410e63b5b0ff84c7e18a904924fe6be19fd1efb76a657795aec710b991c1b5eed5d69f82d29dba3f164e5a47533befc3
SHA1 hash: c51e65cde458ea30c3f1d47444e074294462f803
MD5 hash: c27f466abeab5b72a6f57e5b7963b66f
humanhash: massachusetts-july-white-kilo
File name:PO copy.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:518'656 bytes
First seen:2020-06-10 07:32:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kgg3YWSRBFksjCHZGi5PxA1an4zFKxcY9uBnv6cOMkIGc:e4DFksjCHZGiTA1UG
Threatray 12'249 similar samples on MalwareBazaar
TLSH 16B4CF883250B2DFC46BCC72C9A82C64AB61A577571BD343A44726ED9A0DBD7CF142E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.teamworldwidechina.com
Sending IP: 203.69.53.32
From: Karim Export <hcm_info@teamworldwidechina.com>
Reply-To: Export <zicopromodetextiles@gmail.com>
Subject: New PO
Attachment: PO copy.pdf.z (contains "PO copy.pdf.exe")

AgentTesla SMTP exfil server:
mail.sensar-light.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 05:39:01 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pg53nbmjs72j2ptirth4iqqg7cnlomnb4f5tx2bkdsagfz3ihejq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cfd5099c6a8bf03aea60b09f4e7b829eadfcc1c0cc55f2c8bfbae01c03e56e2
AgentTesla
24632af2c40f7670d76a42465d56891715eeadb0384df9e1ba8063451425c2a5
AgentTesla
4067a43c3518dd21e937615d4d05115eeb11a15691ebb1197222221b5cdf9e9d
AgentTesla
4b26c9e25fba0ef12ed1eb75cee46b2798aa51cec237a94630e39c63ad165a33
AgentTesla
59a8159ddc43686d38e9767baaa33e51361810a837c75181163789ffc730df4d
AgentTesla
7193d497b1b85ec895b6d2c976a2d102a1a33d52b029a233d94a12cae12bd6f9
AgentTesla
78421571ed40c04719354b6c325569c68109356a6f63ec038dd14060700e8b3a
AgentTesla
8280b776a9f7cb0a8391b1d00327bb587e35d440340b55c10f9a1acb95d00d59
AgentTesla
a4cebe4913d275f7387b8d8b2acb7d76324550746e8802f28d432a15d3608194
AgentTesla
ed15459a7fd8570fc69235cac35dbe1617fa919c6c09a1978df30952b2af53b1
AgentTesla
+ 12'239 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-s53mce8y3a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z ceb18177af18c634ef91dd926dbaedec7257cd4b41a897ba650173b9ad00bfe5

AgentTesla

Executable exe 79bbb6858997f49d3e688ccfc44206f89ab731a1e17b3be82a1c8062e7683913

(this sample)

  
Dropped by
MD5 6e795a02f74bc528ff601fced3417e0d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ceb18177af18c634ef91dd926dbaedec7257cd4b41a897ba650173b9ad00bfe5

Comments