MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b
SHA3-384 hash: ef8984435058f508c81b36c403e86c5b9e3a3be93fe0a3caf495d192f82af2a0c61c04acfa9e0172a0d3170027ba021f
SHA1 hash: 670dba7445bcfa7ffbdaf97f66b21c962d7fa7cc
MD5 hash: b5cd33eb48bf6c4d09c6da04b1794a83
humanhash: pizza-magnesium-table-sodium
File name:25117250468990F967AD94AA32EF8F26151F80A67516C.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:437'248 bytes
First seen:2021-11-22 05:30:53 UTC
Last seen:2021-11-22 07:41:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:ruur4FQ6gbYaD1AhTcMfNiKWNIcRJsQEwLxolTCRd6y80M6Pgt8OVszscD4udRBn:jsFQ6CYjcMfNsKcRJN8eKYM6I+kszdb
Threatray 22 similar samples on MalwareBazaar
TLSH T1F194D0AD17E2F89DD1C14D3A1D451BEC6EFBB4982B6AB1E247218A3FDDB804493103B5
File icon (PE):PE icon
dhash icon e0e49a54a4acb8e0 (1 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://treysongz.org/a1/WebPanel/api.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://treysongz.org/a1/WebPanel/api.php https://threatfox.abuse.ch/ioc/251896/

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25117250468990F967AD94AA32EF8F26151F80A67516C.exe
Verdict:
Malicious activity
Analysis date:
2021-11-22 05:31:56 UTC
Tags:
evasion trojan rat agenttesla
Link:
https://app.any.run/tasks/0cfd7c02-5a28-4db2-9191-92ea95f9f6e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.19347.29122.9969.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Creating a file
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Sending an HTTP GET request
Unauthorized injection to a system process
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da2c63a6-8dc6-4c79-9d29-3110bb0a7f37
Result
Threat name:
Agent Tesla AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893564
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Compiles code to access protected / encrypted code
Detected Agent Tesla keylogger
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Csc.exe Source File Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526042 Sample: 25117250468990F967AD94AA32E... Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 9 other signatures 2->42 7 25117250468990F967AD94AA32EF8F26151F80A67516C.exe 8 2->7         started        process3 file4 22 C:\Users\user\AppData\...\clyftywz.cmdline, UTF-8 7->22 dropped 24 C:\Users\user\AppData\Local\...\clyftywz.0.cs, C++ 7->24 dropped 26 25117250468990F967...1F80A67516C.exe.log, ASCII 7->26 dropped 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Compiles code to access protected / encrypted code 7->48 50 Injects a PE file into a foreign processes 7->50 11 RegAsm.exe 15 16 7->11         started        15 csc.exe 4 7->15         started        signatures5 process6 dnsIp7 30 checkip.dyndns.org 11->30 32 checkip.dyndns.com 193.122.6.168, 49744, 80 ORACLE-BMC-31898US United States 11->32 34 treysongz.org 34.98.99.30, 49747, 49748, 80 GOOGLEUS United States 11->34 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->52 54 May check the online IP address of the machine 11->54 56 Tries to steal Instant Messenger accounts or passwords 11->56 58 5 other signatures 11->58 28 C:\Users\user\AppData\Local\...\clyftywz.dll, PE32 15->28 dropped 18 conhost.exe 15->18         started        20 cvtres.exe 1 15->20         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2018-08-07 04:57:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=euixeucgrgipsz5nssvdf34peykr7afgoulmkur2dvxednfyikfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ae13a39ba870f8b572d742a201f342a022e9a541eea06143996839edd8a8906
AgentTesla
1cf22420a396d9602d5028670b9e175550da36e8fe4c3bbe85a4de01419d8f2f
AgentTesla
94d008685ba759f32d3b80b5542394c9bd4a4f2ca42781cb67f31a7460244bcc
AgentTesla
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
AgentTesla
aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
AgentTesla
db7e5d45fa42c06279ad79cc8d00a2f95f731445b719c91515b17cf8467a7b86
AgentTesla
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
AgentTesla
e9a8bf4f31da146761af10a16f17c402c2de1bfbafe5f770b1ffadbe373a2aa4
AgentTesla
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/211122-f7qanahgh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
8f97ab074ec4eb7128a0f25fd71017c50454cd4f8ed0b896741ef3380ce00a18
MD5 hash:
d956b6848a95b6bffde25374b1ac8c62
SHA1 hash:
cca96e199e144eaaa2e4c7300081e36bdfb0bb0b
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
SH256 hash:
fde93447d7787b09a6accf27ab31c6a4032755efcab6dfdb74c68f9af5badc8d
MD5 hash:
5cbc8c6a66565704b472e6a7873c54bb
SHA1 hash:
3f245cd2c3d6c964a18918b81db404d7ad76e891
Detections:
win_agent_tesla_w0
Create hunting rule
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
SH256 hash:
475abf5808cc4e79563aa24a9a7d1f3d42a20a3d2b4cd4e34a594fce2032e21b
MD5 hash:
36e82b97fea30d40ed03c035813ceb7b
SHA1 hash:
2abe92f169887446e0008c78e33a12ce79471bb2
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
SH256 hash:
751bd22ee658163edb243228732fca61cec283123a89639d9d5b7eee82cf0b99
MD5 hash:
7addf8ca5f6b510be8639fedd288183f
SHA1 hash:
097215581b44d46fc5f533dd5eb23f142678d7b3
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
SH256 hash:
ff3a9769eb9865298b496f84ef53828e691e60fa8a34b5f9e950d3ff8bf6ae5e
MD5 hash:
ef0ac34700f19ff775c3dbeeb735e74c
SHA1 hash:
044ffb80f5cc1050b8733c50c382105eb73000a9
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
SH256 hash:
25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b
MD5 hash:
b5cd33eb48bf6c4d09c6da04b1794a83
SHA1 hash:
670dba7445bcfa7ffbdaf97f66b21c962d7fa7cc
Link:
https://www.unpac.me/results/c53d4a13-d06b-4e2b-acb1-09b86009cfab/
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/251172504689/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25117250468990f967ad94aa32ef8f26151f80a67516c5523a1d6e41b4b8428b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:agent_tesla
Create hunting rule
Author:Stormshield
Description:Detecting HTML strings used by Agent Tesla malware
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_w0
Create hunting rule
Author:InQuest Labs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208009/

Comments