MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25e5574fa2c12795a3dfccffa7566eabc55508357e4914f1ae653dda2bb6729b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25e5574fa2c12795a3dfccffa7566eabc55508357e4914f1ae653dda2bb6729b
SHA3-384 hash: 96df00ce6ea7fdabeca041f4f3be3d980c66656426fcc1c0a3e1675f127b2cbabb2eb61924bd717561d27767ec280f90
SHA1 hash: 5b7b1a31fab153bcdef83726d4223a67b350e769
MD5 hash: 63a9b934712167950dbe911da663e978
humanhash: arkansas-lithium-magazine-hamper
File name:wezzy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:742'400 bytes
First seen:2020-05-23 11:17:28 UTC
Last seen:2020-05-23 11:46:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29d9aa9d7ab02ca63c870eb08d549a22 (3 x AgentTesla)
ssdeep 12288:ysybHd/zvDue757IRUPCYm+eQcFlxypu82quAJ0gXwtwimJEW6gkmTcb1b:H2xzvv7IRUP/eRFyp2qXJ0gQ5wERglc5
Threatray 11'076 similar samples on MalwareBazaar
TLSH 06F4AF62F2E14433D1A31A7D5D1B5F78582EBE513D2869462BE45C4CAF38783383A29F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: servers.com
Sending IP: 185.234.216.155
From: Michael Black<secureserver@servers.com>
Subject: PACIFIC PACKAGING INDUSTRIES
Attachment: billiones.zip (contains "wezzy.exe")

AgentTesla SMTP exfil server:
mail.totallyanonymous.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-23 01:26:22 UTC
File Type:
PE (Exe)
Extracted files:
263
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
7122cb64edc52abe8970efc389fa30aef082ef220e2c952d1f89e1f8001dc5c1
AgentTesla
9622729f9517d5a5eecd4a278ea564d750b17e300337a0f0e023c986bf0e537d
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d
AgentTesla
c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f
AgentTesla
c905064bb651ad48f6a67415f4b982254e6f816ff03b1f19d3da32da19a8d788
AgentTesla
d223c5d9e8c4529cf905bb3c777f6850b21babd5ef85cd270db5a9e760ba4e0f
AgentTesla
da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c
AgentTesla
efd857b9c713b00e8359f0c58fdb42124b2b3fccbfd5de1ef95156cdee038170
AgentTesla
+ 11'066 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-92pbt8thl6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d0e0892a26ee75414b2181c36c4039e0f8dcdaa41af38be6b0d37dc9ad0ce4b7

AgentTesla

Executable exe 25e5574fa2c12795a3dfccffa7566eabc55508357e4914f1ae653dda2bb6729b

(this sample)

  
Dropped by
MD5 6fe93d35af42f56d19c7e08e28411615
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d0e0892a26ee75414b2181c36c4039e0f8dcdaa41af38be6b0d37dc9ad0ce4b7

Comments