MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 799e7b4209f8eaba177033adfeede982f04fc78671aa15d64e57d82b9040a92b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 799e7b4209f8eaba177033adfeede982f04fc78671aa15d64e57d82b9040a92b
SHA3-384 hash: 8d6b81ad3f9e83c9b4ff65776c63dbab3437832b385cc3e9ebff07e7ccb454ee0a7d1fe39c8048c21a0beea81002413b
SHA1 hash: 59343d35572fe26196fc2154c6949955e53e8c07
MD5 hash: 38e590b90803aab6db0c7c8a09d8c15f
humanhash: magazine-maine-undress-red
File name:gunzipped
Download: download sample
Signature AgentTesla
Create hunting rule
File size:486'912 bytes
First seen:2020-05-06 16:55:41 UTC
Last seen:2020-05-06 18:04:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:fTLWJnGpdHK0V4qrgZNgB33j2EI/S2Ppd5zAXTqnFoXZ33jYgioymKyYUOMoCaMn:fTjfHxVVrgbonqhq2UZkgiopKRUFoCa
Threatray 43 similar samples on MalwareBazaar
TLSH 74A4BF42E704CA05C8EFC5767CBC58218BBFA64396138F579E9C08E299D378549C3A9F
Reporter abuse_ch
Tags:AgentTesla


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: [209.58.149.66]
Sending IP: 209.58.149.66
From: Liakhat Hussain <com_sec@unisteel.com.sa>
Subject: UNIS-TRADE PURCHASE ORDER
Attachment: RFQ2888383PRC_PDF.gz (contains "gunzipped")

AgentTesla SMTP exfil server:
smtpout.asia.secureserver.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gh.16103.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 07:43:00 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgphwqqj7dvluf3qgow753pjqlye7r4gogvblvsok7mcxecavevq._file
Verdict:
unknown
Similar samples:
2eaf25d2c99eb49743060031a22428bb7c8e78a99869638cfe43b977dda57f22
AgentTesla
3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
AgentTesla
41eef1a870eaea8573585611d3fd3b9f0fb30ed20ffe94e7082b8925b12c329d
AgentTesla
4877df324375a116062963d9905fe55952f405b0837b6f517cea9fd040932b84
AgentTesla
a90e37c7de58a0fc3d94a5450340daf5b37da566125c3f8ec21bb3d66a457226
AgentTesla
bc742c33c446a25e6482c4209436088415d5c89a7f8ab66f37f16006d62344ac
AgentTesla
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
AgentTesla
d8df9c022a03d7da5ca463e2cc64eac786733a6970635e2e131b7763af1d1984
AgentTesla
ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d
AgentTesla
f32e731527a2a3fa24a75c8732c2e236dfb6dd4f09c50add479d6cf9e018d34c
AgentTesla
+ 33 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-wwjmefn3rn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 715ffdccd7a864638a726085c4a43cde56b1060e0be3e474c61e01ce0f0c4eaa

AgentTesla

Executable exe 799e7b4209f8eaba177033adfeede982f04fc78671aa15d64e57d82b9040a92b

(this sample)

  
Dropped by
MD5 054075b2e54225ff5e4f4c4f52dfefef
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 715ffdccd7a864638a726085c4a43cde56b1060e0be3e474c61e01ce0f0c4eaa

Comments