MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5
SHA3-384 hash: 6b8487974ff6061619c2631e63b93e719904304b88cf32c1672a93fe863b0938f6df96cff28ca41883914e19814b72d3
SHA1 hash: cb83cd7dcb40065998aa91a36f80606544fb519d
MD5 hash: 9448a7e12108858e1e48097be290987b
humanhash: jig-five-california-march
File name:9448a7e12108858e1e48097be290987b.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:21'160 bytes
First seen:2020-10-13 10:43:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:GwAo+d7k3rwgSWDvAnglRLLlm6N9b//96lN/QNcvncFN/Yaa9sgfxIZH:GwAo8+AWZHxm6vb/V6CscFRDgf2h
Threatray 504 similar samples on MalwareBazaar
TLSH 8592A404728A9D63DF2B073D43FB5901C3F025E11773C6269AEC93D98A861139F5FA96
Reporter abuse_ch
Tags:AgentTesla exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 12 21:22:06 2020 GMT
Valid to:Oct 12 21:22:06 2021 GMT
Serial number: D26CC66E1FA4425013DF823A4D53C017
Thumbprint Algorithm:SHA256
Thumbprint: 0822F8D49970ADFC4C7CD777615F0F9A1A521D7783BC630FD45D624610EF3C97
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Creating a window
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489580
Signature
Antivirus / Scanner detection for submitted sample
Connects to a pastebin service (likely for C&C)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 297243 Sample: QVbtjYH7ER.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 41 us2.smtp.mailhostbox.com 2->41 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 4 other signatures 2->57 8 QVbtjYH7ER.exe 15 8 2->8         started        12 myapp.exe 4 2->12         started        14 myapp.exe 3 2->14         started        signatures3 process4 dnsIp5 43 hastebin.com 172.67.143.180, 443, 49732 CLOUDFLARENETUS United States 8->43 59 Hides threads from debuggers 8->59 16 InstallUtil.exe 16 4 8->16         started        21 WerFault.exe 23 9 8->21         started        23 timeout.exe 1 8->23         started        25 conhost.exe 12->25         started        27 conhost.exe 14->27         started        signatures6 process7 dnsIp8 35 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.98.120, 443, 49745 AMAZON-AESUS United States 16->35 37 nagano-19599.herokussl.com 16->37 39 api.ipify.org 16->39 31 C:\Users\user\AppData\Roaming\...\myapp.exe, PE32 16->31 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->49 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->33 dropped 29 conhost.exe 23->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 01:08:00 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfacwahz4i7f3o2f7qk2a6nzgcfavcimpfk5bzy6lvkitwonvssq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
210c6f413be18ff3ba11a0ba9886179cf98e73e43d3e0b366960d04b925e9283
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
44c8acbbe1fdbcab7397c03bc91d5d3f440ec11f6358974e4bcc27ee28a4b838
AgentTesla
5a6ff674194fd8f0b7221de0d402f383eec634054768bd2df0e7adc2fa825953
AgentTesla
8defc26c3fad9953293008069e733fc37d2069edefb6ab84c0a6dea168e8c963
AgentTesla
b1a2b363a87d3f8bc4f184fe929f6025acf4da4d0379d595ea006e884a12179d
AgentTesla
ca23807d51b989324e04dafc821c7611cf0ee25d04aa9a20c41a6b92303ca81f
AgentTesla
dca8d76c88ee16a9e17e7481f2912e955530296f6ce71e77db7dbadcbffc5c19
AgentTesla
e6664f4dc05ada4dbb64eddc1fd5c2ef57214a83c55bfe65195d07adf17bcaca
AgentTesla
+ 494 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201013-vzyg9j7r6e/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5
MD5 hash:
9448a7e12108858e1e48097be290987b
SHA1 hash:
cb83cd7dcb40065998aa91a36f80606544fb519d
Link:
https://www.unpac.me/results/e43563e3-c663-4175-96f7-eaf0a0b9ab2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/684925/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/70410/

Comments