MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae
SHA3-384 hash: fcd06141339bc7b2aabb7a0fa4695a90f0fe82a77f2bbdfa2172da4c76a25caf4c1520c5e5ba2c8efdaf165ac3fbfcdc
SHA1 hash: b3b63dc7f9c4059404dca6a3c06fd8953d0d1982
MD5 hash: aeeb102a75180b079a7a129668ee6374
humanhash: india-happy-foxtrot-jig
File name:boniiiiiiiiiii originnnnnnnnnnn.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:312'832 bytes
First seen:2021-02-11 10:23:18 UTC
Last seen:2021-02-11 11:58:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:8oOJ0qvtMWjQ/TUL49JWZrNXwxl5R+k9jInqRDaCsjAQcP/C:8oM0qeVw8o0OkJ2C0AQcHC
Threatray 2'587 similar samples on MalwareBazaar
TLSH D76412F7A9D99B53C0BB467E69126403CF78ECB93A58CB4A065D73465332AE03A33453
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: relay3.redynet.com.ar
Sending IP: 200.107.202.48
From: vinayak <vinayak@saisanket.in>
Subject: New Purchase Order,
Attachment: NEW PURCHASE ORDER.zip (contains "boniiiiiiiiiii originnnnnnnnnnn.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
boniiiiiiiiiii originnnnnnnnnnn.exe
Verdict:
No threats detected
Analysis date:
2021-02-11 10:24:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2aeebc1a-4dae-456a-beb5-4439e73bf469

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116801/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6572.15177.27129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/605683
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae/
Threat name:
ByteCode-MSIL.Hacktool.SharPersist
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 09:26:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejjjfxxooznzz2ihua5eozc4kiqbufg7xfrdiuew7uydqx6gh2xa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0689d5aa88eeabb27ebb29c4a50ce9d1d125e641484cc649ab1bf34327e611e5
AgentTesla
15b7e016d58fd18d0f7eb8f578ba217b9aaac7367c0eddd7a545f9d98d49e288
AgentTesla
2d318a7721f5f1919929c0107f5e37e8a22b5899661e13ae112d5d16f99c1f5c
AgentTesla
30419f9c318a43b6ed51c101f086d95fe2f563b80cfb13ed6a7189ffe41c6cee
AgentTesla
8209b4a97fe3ede6c1c89bbd90a0e892bb9dcd82851836ed6b802a876d56eb0c
AgentTesla
8793f746e57548dccd3d8af4f2723d0d41cce3b9f6b217da30a255756ceec655
AgentTesla
8a1690fccff3d97874f1d71d344f99ca14b7e91b8c2acc84d6fbc28c2cc489eb
AgentTesla
96419e24a139be22003f18188eb9d4eac5fb5b8372dd055509365d0d6e4665d4
AgentTesla
d6544a0b973c2a4a5ee527a2aa91ea58825b12e3c32e7d93052b4256127f9d0f
AgentTesla
f654784ba7a16e6a46f093da4af3012c604e6101043e0abc36332fbd6c84c00b
AgentTesla
+ 2'577 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-a2e9ay299s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/02beafa5-022a-4e1f-8c85-4a005162ac8f/
SH256 hash:
9942e308a49644b0c62ca578f388e98d91c9e30e265e66f3f7c138b10b99df86
MD5 hash:
d5d562623b0aa767ecce1d4feb7ff15a
SHA1 hash:
f6dab8df0530e2921689b27753acb9334c21bdcb
Link:
https://www.unpac.me/results/02beafa5-022a-4e1f-8c85-4a005162ac8f/
SH256 hash:
4bd9b8597def643dd7a40aae35d202a299ec345ff6397858053eb8d4852f3e1b
MD5 hash:
63d9b6204586bf9f2458ed73f256fd61
SHA1 hash:
8593fd8b78ed60db89b4ca069544198a017da7fb
Link:
https://www.unpac.me/results/02beafa5-022a-4e1f-8c85-4a005162ac8f/
SH256 hash:
225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae
MD5 hash:
aeeb102a75180b079a7a129668ee6374
SHA1 hash:
b3b63dc7f9c4059404dca6a3c06fd8953d0d1982
Link:
https://www.unpac.me/results/02beafa5-022a-4e1f-8c85-4a005162ac8f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 182ba03ab4fffc80c9952905b61265161ad8563a4f096253c7dc52a8ce9cd1f5

AgentTesla

Executable exe 225292deee765b9ce907a03a47645c52201a14dfb962345096fd30385fc63eae

(this sample)

  
Dropped by
MD5 39559426496f0e659828b405e69fa3bc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116801/
  
Dropped by
SHA256 182ba03ab4fffc80c9952905b61265161ad8563a4f096253c7dc52a8ce9cd1f5

Comments