MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79c918eb12cd2f34d937a55c33af9434177fc25f59d7c7c956fdec75344d7cd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79c918eb12cd2f34d937a55c33af9434177fc25f59d7c7c956fdec75344d7cd2
SHA3-384 hash: e146c55f8a476c24122fc4d82515b4b1b4fc148a82f22d0c76edab7bea969331ebd4bff316b971e490875b53883a05b3
SHA1 hash: c1d6e0226992668a84b207e61a5656135cf115c1
MD5 hash: 9f8f17f320dec2e496a658b5c99edc89
humanhash: may-comet-lake-uncle
File name:SecuriteInfo.com.Trojan.Siggen9.54526.26670.17888
Download: download sample
Signature AgentTesla
Create hunting rule
File size:465'408 bytes
First seen:2020-06-19 21:32:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:804ysoB65n+Pwmp8T4WU0lYwW1OVW4EgOz1lvZ5+N+1:8OsoG+PucilYwRWfL5ZIN+1
Threatray 147 similar samples on MalwareBazaar
TLSH 8CA4D03C03A5FA6FD5BD87BDD0A5410C92E3C1E256DBDB894A02B0EA0E46B5AF137147
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9851/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.54526.26670.17888.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-19 00:58:00 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pherr2yszuxtjwjxuvodhl4ugqlx7qs7lhl4pskw7xwhkncnptja._file
Verdict:
unknown
Similar samples:
03e2fedf787303ddbb21c7d1850f7a97dccf1bc5ccc3846d37d827e498263ab1
AgentTesla
0b9bf960a70b60232a00272aec1c69b56ae3baa282b2f7c17ad377a6e8f65b1d
AgentTesla
1017b23d5d7849554883e4cf55e8f9136a3344c631485c4786d2cd227b2b5a6a
AgentTesla
2088534f73106229d20329297ac7079561b2c6d2ab60631af0b29e416389839a
AgentTesla
49756fa94c01f66d0f0ef634a0d277c9a4b654c92f86665593c23d9e66db9dc2
AgentTesla
7d65c5f831361d3e7441c49dfe9e5a286c1b142fa1315c3460e144b240a2afaa
AgentTesla
8df3f6979cddda955efe2734b84c83411b4f0fa4ff1200794a9c9a99a173b9ad
AgentTesla
b2d60c8915d3180d7416c1c7067bb63b0002145b7dfb0fecfb2899cbabf0c274
AgentTesla
bb87a6186306d0417e723b3ae04b70193f32d8b5fe479de840ed10f243234c4d
AgentTesla
cc8cf128220c891f74068de7a331bc70c9f7e7a141dba5afdd4eb94adfaba510
AgentTesla
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-xpa2sdfkw6/
Behaviour
Suspicious use of WriteProcessMemory
Maps connected drives based on registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 79c918eb12cd2f34d937a55c33af9434177fc25f59d7c7c956fdec75344d7cd2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399484/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9851/

Comments