MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79bfd222eaaeba868d6c0fdc76fff4980e9415b11633d0e98b940aa0ef922a80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	79bfd222eaaeba868d6c0fdc76fff4980e9415b11633d0e98b940aa0ef922a80
SHA3-384 hash:	9ab54586386d0388ecfcb730e7f6d0668a4e8b63528f890a76508ec41a346ec31d566c29244242fdead9d7af17180376
SHA1 hash:	08a5baa99190921252a919b9532856a7e0c14bc5
MD5 hash:	f72b401ea5d1416d4f0cf2a353eb7da9
humanhash:	foxtrot-sweet-carpet-illinois
File name:	PO6320.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	489'984 bytes
First seen:	2020-06-03 08:56:40 UTC
Last seen:	2020-06-03 09:24:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:1y6DTE+X2rfwA2J4fUIYZSvnHPNM1J11aOYCZpi0ih:1pL2r8fIYZSvwHrriX
Threatray	179 similar samples on MalwareBazaar
TLSH	16A4014532495E27CABC48F280B2228943F8911666F7FBC9ADC625DB26F6FF08501F57
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: slot0.hiskaol.ga
Sending IP: 89.32.41.144
From: Devang Goenka <sales@hiskaol.ga>
Subject: Re:PO6320 For Shipment
Attachment: PO6320.IMG (contains "PO6320.exe")

AgentTesla SMTP exfil server:
mail.thepackaging.com:587

Intelligence

File Origin

# of uploads :

2

# of downloads :

62

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-03 15:54:41 UTC

AV detection:

14 of 31 (45.16%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pg75eixkv25indlmb7ohn77utahjifnrcyz5b2mlsqfkb34sfkaa._file

Verdict:

unknown

Similar samples:

182cba034214e142fe766a5a2970d69601709db30e7e497c1b218166324fb559

578f0c45d373956b4048324e019135abe012411ed17d3137ed32dfd2ee30d720

57ac709fd6909469a9a42bf53e37a3bcde0b0b1b613e146423fe6f0fc7c5623c

64baf83c9b911fb05c284a8bb464c930d48ce9e50b8450d707bf78df0b169942

6f9cbaa045e20abe4f011a4893b48dfb8e39c2cf44d9588d5c88eb03cdb32c2b

a014e0a743059e2028857df1f0440dc364c988f32100a5530a719f0339a0bf99

d2a97ab97d0977567f4b2ee6ba659725fc82e9d4fbdf293b5f2bed5152d40af5

e0b817181540e409f276583418e63e0f73a7ab36a323b86b304cd21e3a91f788

ea00e61f682dcda07a223e3812f6b87b2182a3dd9999a6872563ea709bc2d282

ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9

+ 169 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-gav3gge9z2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 74b7ea02de9f9cf8d93f1520e5a03eea22722f488cf5d8e780b8d0575e2b97b7

exe 79bfd222eaaeba868d6c0fdc76fff4980e9415b11633d0e98b940aa0ef922a80

(this sample)

Dropped by

MD5 a1403febb5107873bf3780bd9035d5a4

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 74b7ea02de9f9cf8d93f1520e5a03eea22722f488cf5d8e780b8d0575e2b97b7

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample