MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2
SHA3-384 hash: feac3013b52c75fb0fb6c59f5d0aee2e37aaff0ef3e21c27ae60c147bd245147de9e912c2fcf9dc25aa2ab6d107dd503
SHA1 hash: 84a9aa6e034a00e5fd7aedd1c77667364e4b92dd
MD5 hash: 89df0857c50e598dce5fa9c3bb45fe81
humanhash: beer-chicken-edward-muppet
File name:office.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'772'992 bytes
First seen:2020-06-11 11:20:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 49152:DTjmqLaokqY5CGpB7AkRiLYXagmasPR58mRh:DTfGpB7AkRzqF
Threatray 4 similar samples on MalwareBazaar
TLSH BAD5A7837EC0C901E02D653BD29A864843E5D75525D3E337E8BF33AF6E0676A38099D6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-27-236.unifiedlayer.com
Sending IP: 142.4.27.236
From: Support <bakerys@unclejohnsbakery.onmicrosoft.com>
Subject: Please confirm 6/11/2020 9:29:05 AM id:XXX
Attachment: confirmation.doc.zip (contains "confirmation.doc")

AgentTesla payload URL:
http://wg-mallestig.at/libraries/cms/editor/00/office.exe

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9007/
Detection(s):
Win.Dropper.Msilperseus-7772566-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 11:22:08 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgx4tm43u77h3vxnfawtt24rlo2he4ovkilx6ywgmbvztea7ttja._file
Verdict:
unknown
Similar samples:
23b916e5bb30f814e9819cf3499fe56820380b827b20f595022eabbd47267374
AgentTesla
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
AgentTesla
f0b43b05479d8dde3603ef587da02925b703d7d5bc8332656ab9ca7f7e1554a4
AgentTesla
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-fdj7713was/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e42f70cff686d207749d89fc79cc118fdab84bbe647d392c37277b5a97ae8c0d

AgentTesla

Word file doc 3142977bcfdcb210911cafe45c3bfe32085ba994cdc0eaa216beef13e8c2a43e

AgentTesla

Executable exe 79afc9b39ba7fe7dd6ed282d39eb915bb47271d552177f62c6606b99901f9cd2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/386591/
  
Dropped by
MD5 7c777caa699a828658624818271dbb8b
  
Dropped by
SHA256 3142977bcfdcb210911cafe45c3bfe32085ba994cdc0eaa216beef13e8c2a43e
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9007/

Comments