MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0725c4cfe7eb19106a14377c1062e4382cdcf19b38e90665b3e26b26669de074. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	0725c4cfe7eb19106a14377c1062e4382cdcf19b38e90665b3e26b26669de074
SHA3-384 hash:	a21765262027f478591772b314bf75882d09129526ecdb4e85ed581a4574882a1dd5b8ecaf0ab6cc19bbfba8bfd2c7b1
SHA1 hash:	c39f7123c829eb3d816dcd3577ff63db738b5abb
MD5 hash:	f9dbb8429d29b0862d9f8c6ef59eaa07
humanhash:	connecticut-nine-cola-kitten
File name:	SecuriteInfo.com.Win32.RATX-gen.20857.20063
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	804'352 bytes
First seen:	2022-10-31 05:12:40 UTC
Last seen:	2022-11-01 10:46:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:GnXpsAgHtDg5xE1WvMPNJGbECdhrpRHmjOpEPRC/5IRByi2kW18HEiVorLb355wJ:54hv8NJGbndR7HWVTX2k7XorX3g39
Threatray	20'119 similar samples on MalwareBazaar
TLSH	T1E405C03439EB911DF277AF718BD5B8EE46AEF7232607E46B249103824713B81CD91639
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

SecuriteInfo.com.Win32.RATX-gen.20857.20063

Verdict:

Malicious activity

Analysis date:

2022-10-31 05:14:06 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/b3c52e00-c40f-43b9-8d1f-b6effd00020a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/326253/

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.20857.20063.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/635f595ece1f43143c2a2055/reports/fe6734e8-5f88-4a17-b459-ee9cf1b33cdc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01d91b06-bd10-4e84-83a1-1d03b70caf51

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1101446

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

.NET source code contains very large strings

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0725c4cfe7eb19106a14377c1062e4382cdcf19b38e90665b3e26b26669de074/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-10-31 03:12:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

31 of 42 (73.81%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a4s4jt7h5mmra2qug56bayxehawnz4m3hduqmznt4jvsmzu54b2a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

45fa164b6426a399c2720ae533c6ad0f5d024cf6d7a2f43313ab1b8d5ac9c269

AgentTesla

53f30e0174d4f4a422bc8ee8ab174bf13c96dc312b6c472ccf43b6e33262f976

AgentTesla

66ad671957356b0a979ac4ce68ade78f8ddfda2dabd4e1dc0b1ec68a1ac6dcf5

AgentTesla

6c177f41f62f5cc7d9f8f3ce384c1ed1aabf9ff0e181e5f7a1f59d450b731a8f

AgentTesla

77e60f86df5027b5cddd14fb1e0acc3e9a2c5456efeea831118d36180358c591

AgentTesla

860acfa8cc9161f4af864a53a163fc3b18652fc7b974f8e36d3823d880653105

AgentTesla

a46ba907fa55dea9842e0c9a005d71190c7630d033432fa60c5e2996333c3bd9

AgentTesla

+ 20'109 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221031-fwd39aabg5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

AgentTesla

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ccbd8362-0a09-4881-8636-d1629190a4c0

Unpacked files

SH256 hash:

e590ea69c4cb25b6267f395529ae988293e7cedd0ebe8bfcf0d98ae91e35bffd

MD5 hash:

61f9ac5773da429ada5bba98b13dfcae

SHA1 hash:

e9e8a04294a20f204238f339236ea74a1cfe2093

Link:

https://www.unpac.me/results/04542662-703b-4aca-9347-07baea7f50cf/

SH256 hash:

a327516357b9fa1a75753b3fbd0030e13f374be7cefcdf983d0b731f278b0c59

MD5 hash:

404efdeb9931733904da07f96fabeb72

SHA1 hash:

7ce363cd612f1d9a90b33ec196c4d0a49cdaee02

Link:

https://www.unpac.me/results/04542662-703b-4aca-9347-07baea7f50cf/

SH256 hash:

9cd57caf724c9959abbc9a9668334eaa3b939bfc88097a274362268f558fb246

MD5 hash:

6fe4812f37db962a7871de0ed9da4068

SHA1 hash:

74dc85eb02ac1517ca83f827a43ecc85dfde3fcd

Link:

https://www.unpac.me/results/04542662-703b-4aca-9347-07baea7f50cf/

SH256 hash:

0725c4cfe7eb19106a14377c1062e4382cdcf19b38e90665b3e26b26669de074

MD5 hash:

f9dbb8429d29b0862d9f8c6ef59eaa07

SHA1 hash:

c39f7123c829eb3d816dcd3577ff63db738b5abb

Link:

https://www.unpac.me/results/04542662-703b-4aca-9347-07baea7f50cf/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0725c4cfe7eb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/0725c4cfe7eb19106a14377c1062e4382cdcf19b38e90665b3e26b26669de074

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.