MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36
SHA3-384 hash:	01aa7400a98e3ad6ac6b59f55679645eb42c9638ae7374719e0f14fec5e4d48dd37dd4254a4962d1b3c494c014c3ae2d
SHA1 hash:	7696d62e84cc5ebb2cf6916833ca121535d96c80
MD5 hash:	15a3d96eb1046b1d85389f4330f10e35
humanhash:	undress-winter-orange-lion
File name:	j0cBNvOolccjrJ2.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	489'984 bytes
First seen:	2020-12-08 14:34:07 UTC
Last seen:	2020-12-08 17:08:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:7jebxWklNG09SNvBDmCZdzI6emXAmNAzV8S9V21neC:e9WUN0D9ZdlQTz0neC
Threatray	14 similar samples on MalwareBazaar
TLSH	FFA4F132021A9FABD73E0F7B910816148FF5F427BA16E79DBF8450D502E67948D60EB2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

140

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

j0cBNvOolccjrJ2.exe

Verdict:

Malicious activity

Analysis date:

2020-12-08 14:55:56 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/80f35add-4f47-4c9c-8666-b29015ae0772

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107267/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.1066.3822.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/557998

Signature

Found malware configuration

May check the online IP address of the machine

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-08 14:33:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Verdict:

unknown

AgentTesla

1c1ebb6aaba42418e1648ae40d734171414aebb324dcf2a8d2a413f275d6e5b8

AgentTesla

39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7

AgentTesla

82ffc9d5e821acbff5872134b8851ba0a494e88e87df97b17b3f28c81b8f3b83

AgentTesla

98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358

AgentTesla

cc8de0f68549d84a62dcd11df6625b2bfe08a6cfaea102f4710e28969a60f689

AgentTesla

d2bf967449913fb1af71ef3b38581eeb0ac7519e3a480657a78336dcfc615bf4

AgentTesla

e04ac8ec3e13e60c17c1ab13acb486e2e60877e44b6a3ee8a9e372a45d0c8e42

AgentTesla

e7ccbe9dfaa198263b85336d9f89a775f7601070708ce65b9e4612332e0207b8

AgentTesla

f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293

AgentTesla

+ 4 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201208-hqra9xzfm6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36

MD5 hash:

15a3d96eb1046b1d85389f4330f10e35

SHA1 hash:

7696d62e84cc5ebb2cf6916833ca121535d96c80

Link:

https://www.unpac.me/results/daf7bbc2-310e-4799-b848-9ef7d3cd5859/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/daf7bbc2-310e-4799-b848-9ef7d3cd5859/

SH256 hash:

9caa0b29897cf2638fcdc07a741ec072cbadc8683b90bc649484d27f3803e83f

MD5 hash:

bf95d2609b871500e82156df709f2d1a

SHA1 hash:

51d9f0a457a2ad18ab7fa25a856153f8c9c0b86b

Link:

https://www.unpac.me/results/daf7bbc2-310e-4799-b848-9ef7d3cd5859/

SH256 hash:

5946924652a030007584d75848847c6fcbb0ac141982dccf7733a619351445c1

MD5 hash:

39dc1c3d0643463d704d97e2667932a2

SHA1 hash:

e761a7bd5c03f708a8a2deaf501c187ce8bede91

Link:

https://www.unpac.me/results/daf7bbc2-310e-4799-b848-9ef7d3cd5859/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_Reversed_Base64_Encoded_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an base64 encoded executable with reversed characters
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/107267/

URLhaus

https://urlhaus.abuse.ch/url/899426/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample