MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19a8e4f9fb01ff4333c81f78bba61e42d516c860e8974e059be82f2bf9d5a641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	19a8e4f9fb01ff4333c81f78bba61e42d516c860e8974e059be82f2bf9d5a641
SHA3-384 hash:	ce04c52af96fe5eb5e77b2676dc19abeee6dab6cb4eaa38bc65fd78a71c7e2e327aac98d15a6005bac2b5a24d4c16996
SHA1 hash:	e88b93cb1355bdff8fe22d2584cfefd1a0674cf8
MD5 hash:	e839aaaf8548e0f5389c05b774c6a21b
humanhash:	vegan-texas-hotel-romeo
File name:	SecuriteInfo.com.BackDoor.SiggenNET.5.3809.31399
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	369'152 bytes
First seen:	2020-08-10 18:29:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:AGnqCobYbzY/wKBkmrQb3aS35y4bmnQ625uXRn0xq95wUR2d7Yi4Vl:AoxFtKPm3awFa2Q0xY5wU87Y3
Threatray	11'060 similar samples on MalwareBazaar
TLSH	447422367EC9AC06E7CB5FB1FFC39090C36AA55094AB8779794622C084E27D6C983587
Reporter	SecuriteInfoCom
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.BackDoor.SiggenNET.5.3809.31399.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Adding an access-denied ACE

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a keyboard event handler

Stealing user critical data

Enabling autorun

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/417495

Signature

Creates an undocumented autostart registry key

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/19a8e4f9fb01ff4333c81f78bba61e42d516c860e8974e059be82f2bf9d5a641/

Threat name:

ByteCode-MSIL.Trojan.CryptInject

Status:

Malicious

First seen:

2020-08-10 18:31:06 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dguoj6p3ah7ugm6id54lxjq6ilkrnsda5clu4bm35axsx6ovuzaq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

269770044a2b90764179e7d03229a3977e6034257d036c9f3d977803107f8b24

AgentTesla

500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5

AgentTesla

6f2bf53e333052923d34bb892bfbe30575270fa08cf40828767bf92bca15f52d

AgentTesla

869e8a26e04953a411e7454c800e022bbbb3825320ab6e3935213357789f0844

AgentTesla

897a1305d267937baedeaf75e35e386efbb9c5d7d66819aaecfd885e84196142

AgentTesla

8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09

AgentTesla

a16156a698c131d4f0b4e9127996873c5c9a108cebecc0fb24ccd30b847e86af

AgentTesla

b5fd16a3680333bc763cd5c9bdd1ea24a4387653503bef22c61f575f517cb6f0

AgentTesla

d9de85befd2a9049c9cea121bd32279d960716c95faa879b2863bba74ed8489f

AgentTesla

+ 11'050 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla persistence

Link:

https://tria.ge/reports/200810-lhm5bmvd2s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Modifies WinLogon for persistence

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/19a8e4f9fb01ff4333c81f78bba61e42d516c860e8974e059be82f2bf9d5a641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar