MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5
SHA3-384 hash: 3a30ebd1dd0f4c61758656d1370ab9a95d4cfed1155d1b3722a75d6aaf11880c5a5a0da115649f8bc1f74824e805c73d
SHA1 hash: 0770c6b7bbc102c8070e70208390d5f056515c1d
MD5 hash: 195dbcab53cf0dae73654d010d4c14d4
humanhash: paris-twenty-georgia-charlie
File name:SecuriteInfo.com.BackDoor.SiggenNET.5.10399.26751
Download: download sample
Signature AgentTesla
Create hunting rule
File size:406'528 bytes
First seen:2020-08-10 18:29:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:KVJPZfTaL6JrNE93k/hYyGC6SfYE9xqBmgBjPPEzU0zZwjebXzMSKWO:KfVT2kBE9ak7SwE9xqm8Ed4eHKW
Threatray 11'001 similar samples on MalwareBazaar
TLSH 8A84233ADA90C427E8071BB9151091885A9D61BF3997EB3F37DC03B86ED53FC47A2A50
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.10399.26751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Adding an access-denied ACE
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/417496
Signature
Allocates many large memory junks
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 17:46:33 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kagkk2t54ap33y6n2h6lhexlfj33e4dgmwt2fyeoadhiwqc4e7kq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17431eab4f753e88127e1bf94a796cb4f001ae3c0300ed8b98522713e7ac8e8e
AgentTesla
19a8e4f9fb01ff4333c81f78bba61e42d516c860e8974e059be82f2bf9d5a641
AgentTesla
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
AgentTesla
897a1305d267937baedeaf75e35e386efbb9c5d7d66819aaecfd885e84196142
AgentTesla
93be03ee9522ffc9ea73dcf74bac994a5eabf6f373c0536f5c718af8ff819995
AgentTesla
99b1b22055fc3b65d41897f793b391692268773a7a316cb7afa88c7493c7bcbc
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
b023a34548a0f58904fab9d0c977edd8eef12a8185661dcb51b9937df768aed1
AgentTesla
d48370376555cfaf86feeef09793d4ea76dbac318737d651c298952766ed64fa
AgentTesla
f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4
AgentTesla
+ 10'991 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200810-7v2k54hdp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/428451/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/42909/

Comments