MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 501df6f4559c2f82720d038575c3d225ded2a09f9096e82b0eab14f2bfa551c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 501df6f4559c2f82720d038575c3d225ded2a09f9096e82b0eab14f2bfa551c7
SHA3-384 hash: e3ef2c61174c28bb7ff3c48b16418863b49439de81d91caa7d373359d71eeec2e567cae700115d138b588d958ee12033
SHA1 hash: b6acdfdb832d5cef1cfe36ea38dcc77568d4b2de
MD5 hash: 56e93ef960ca8be08d1c39b277e54bbc
humanhash: comet-red-winner-south
File name:56e93ef960ca8be08d1c39b277e54bbc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:270'440 bytes
First seen:2021-05-14 18:19:17 UTC
Last seen:2021-05-14 18:46:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 6144:kgORai+tjjvca0a6pj1v0YoGvG2USfORclLQEF608iB:kgmWjwRNDv0jabWclLR608+
Threatray 4'977 similar samples on MalwareBazaar
TLSH A044225165B1CF77C7938AB10E3E1A81BAE1A52D2C72874B77603B4DF936190EE0C362
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chrome.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-14 00:49:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24d40bf6-d38d-4a87-9661-114e592b4dea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/156896/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782165
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/501df6f4559c2f82720d038575c3d225ded2a09f9096e82b0eab14f2bfa551c7/
Threat name:
Win32.Trojan.Spynoon
Create hunting rule
Status:
Malicious
First seen:
2021-05-13 12:44:33 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kao7n5cvtqxye4qnaocxlq6sexpnfie7scloqkyovmkpfp5fkhdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b0497a471a34be0ac2c4719719527d6a73b4a0ad0d7b8f43d9c9af5119ce9cd
AgentTesla
0c397ebc470f59440b6a317a88a2592c0b05057cea1ff2f31b9fdde549971aee
AgentTesla
5900f745d083540f3f44b390daf4a39a3a6bf9792221ad6bbc6c26eaf8032a57
AgentTesla
5a2ce470fbe1babd44df83899f5909e3dcd031bc95de5a748f473f288084de7a
AgentTesla
76454d33033a544aa660684850c8a58b5bbee3ed14439e11fee71a137033c171
AgentTesla
77dafc4c23c98c2d0518eb6bcee7cfc13128c249dafc4d5faefbfb67425f40e1
AgentTesla
9f069730633944b6c79d2c813d4be0c9f798f95814596aff02b07c0b19b63237
AgentTesla
b24dca7a4be8c8bf61d8e2c17bb596caee88f6f2aabda72c14dc6f0f3684bb87
AgentTesla
d2adec41dcdb2142c210a4025572e29e1c011d079fa04504b35ab55c03376a16
AgentTesla
eb12f5ac4c8669a097af19e970c05103b43e542a4ad162401c68acef25ff8b5c
AgentTesla
+ 4'967 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210514-anqtyvx3ga/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/501df6f4559c2f82720d038575c3d225ded2a09f9096e82b0eab14f2bfa551c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 501df6f4559c2f82720d038575c3d225ded2a09f9096e82b0eab14f2bfa551c7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/156896/
  
URLhaus
https://urlhaus.abuse.ch/url/1173557/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-14 18:59:51 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.001] Data Micro-objective::CRC32::Checksum
1) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0048] File System Micro-objective::Delete Directory
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0050] File System Micro-objective::Set File Attributes
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread