MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de79ac00f59dfdffc37abc93524e329d5a48f6bd3f3ea5fec5df264e08d4a6a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	de79ac00f59dfdffc37abc93524e329d5a48f6bd3f3ea5fec5df264e08d4a6a3
SHA3-384 hash:	5c32f5c2eb5cc6a3b9852467589c4e9e41d0eb86bf46df1660032cdd49e2caedd90a6c56d9bca3fda82a05e1ae569502
SHA1 hash:	27dcb7666165517790d2688b238817832762bfbf
MD5 hash:	dfd5f2a70c0d088b9bc934e2ff1531df
humanhash:	idaho-charlie-alaska-papa
File name:	HaeKeon RFQ 08-00820.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	411'648 bytes
First seen:	2020-08-05 08:49:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:RCLu9QIE/K7WvJ5BAkJr5kNWK0pTYRxMAR+kxgsO27twKNxFPHhUnGW:RCS9o/KWJjAkJVkApOWS+kxgmZPqnN
Threatray	68 similar samples on MalwareBazaar
TLSH	F194D008A7B8C92FE2A8C9F38D16E8951766306E6F26E75B5028D0FD79C33E545C2743
Reporter	abuse_ch
Tags:	AgentTesla exe Hostwinds

abuse_ch

Malspam distributing unidentified malware:

HELO: hwsrv-759095.hostwindsdns.com
Sending IP: 104.168.132.168
From: Seo-hyeon young <s-hyeon@haekeoncorp.co.kr>
Subject: HaeKeon RFQ
Attachment: HaeKeon RFQ 08-00820.pdf.r00 (contains "HaeKeon RFQ 08-00820.pdf.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/39268/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/410685

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: Suspicious Double Extension

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de79ac00f59dfdffc37abc93524e329d5a48f6bd3f3ea5fec5df264e08d4a6a3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-05 02:21:27 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3z42yahvtx677q32xsjvetrstvner5v5h47kl7wf34te4cguu2rq._file

Verdict:

unknown

Similar samples:

024a7a5c317494884d0d691409884e2bf0e842167c9b5b1ea0d4486d480ba006

119b5245ce5d74924a8b9197fab672d520bdca56364b0a2826f76ecec1855501

25dc175eba82b0e5f1438cfcf929a5ecfdaebe46453c97a08d20f1c762fcb92f

4ea16682c6d48eb737c1857beceadc3d3077921c03fa62d9dad44d551d92729d

6fa3a8b31b5aa450afc06a2a08149af42ef62ae7be55d93db25ec2c3e3edb93f

878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2

987e0b5d35a989d7eff88f7aed06a643e18d500266871e9e1cb901ed8f3d484a

9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37

af4614a203bf30b1a7d9cd1f3eb86ea531dd2f15849a69fd8df3f0502f58e4e1

d0a9cde7ebed2daf4306e0e76a341e6c4293bf9904ed464f5bfcb462dc0999d0

+ 58 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer trojan spyware family:agenttesla

Link:

https://tria.ge/reports/200805-x4fqrryvln/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/de79ac00f59dfdffc37abc93524e329d5a48f6bd3f3ea5fec5df264e08d4a6a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r00 65ca2b38961fcbe3934e404518a1b582167e14d519e4b652ce3ef0b061716f52

exe de79ac00f59dfdffc37abc93524e329d5a48f6bd3f3ea5fec5df264e08d4a6a3

(this sample)

Dropped by

MD5 7f3791ec9832fbdf4b1199c28b1b0707

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 65ca2b38961fcbe3934e404518a1b582167e14d519e4b652ce3ef0b061716f52

Cape

Cape

https://www.capesandbox.com/analysis/39268/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample