MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25483a164b2ab3cb283f494f2022793b99595bbf3af41b0620dcd3b0d3d612be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25483a164b2ab3cb283f494f2022793b99595bbf3af41b0620dcd3b0d3d612be
SHA3-384 hash: 91df6bed5a4e058465394ca24bf80066275bf04db8f1fb99fad47729ca87746813b62ed24a58f9274559eae3f9545767
SHA1 hash: 5958c7eb0d93510ff00241c7257d7026c207c7e8
MD5 hash: 7416af0e6dbe13b36bdfe2e609b00666
humanhash: hamper-fruit-winter-early
File name:677809.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:555'002 bytes
First seen:2023-01-11 12:40:06 UTC
Last seen:2023-01-11 14:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:oY+ojsYcfslV1Px6E4ZNmnh6rzYk9Lbfd5vS9/TRTA:oY9sYcfslV1slZqhRkBbV5voVk
Threatray 19'917 similar samples on MalwareBazaar
TLSH T1E7C4BE14F648B242D9264671AF89E3F8425BED723911806D61D2BE8B3338D4F5FBB139
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0aba828c242492a0 (1 x AgentTesla)
Reporter cocaman
Tags:AgentTesla exe INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
677809.exe
Verdict:
Malicious activity
Analysis date:
2023-01-11 12:42:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ee6caf0-c5f3-4e38-9518-add2ab3e98da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351923/
Detection(s):
Can't write to file ERROR
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Reading critical registry keys
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63beae5fa66e2eb297384cc3/reports/318c63b8-baea-4652-8046-e8d38b29b8c3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86435130-ab73-4c83-9d97-4efa741140cd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149562
Signature
Contains functionality to detect sleep reduction / modifications
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782294 Sample: 677809.exe Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 7 677809.exe 19 2->7         started        10 vlxqnrgviurly.exe 2->10         started        13 vlxqnrgviurly.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Local\...\wuprisx.exe, PE32 7->27 dropped 15 wuprisx.exe 1 2 7->15         started        57 Multi AV Scanner detection for dropped file 10->57 19 WerFault.exe 4 10 10->19         started        21 WerFault.exe 10 13->21         started        signatures5 process6 file7 29 C:\Users\user\AppData\...\vlxqnrgviurly.exe, PE32 15->29 dropped 37 Multi AV Scanner detection for dropped file 15->37 39 Detected unpacking (creates a PE file in dynamic memory) 15->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->41 43 6 other signatures 15->43 23 wuprisx.exe 17 3 15->23         started        signatures8 process9 dnsIp10 31 mail.jackbarber.com 23->31 33 api4.ipify.org 64.185.227.156, 443, 49691 WEBNXUS United States 23->33 35 2 other IPs or domains 23->35 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->49 51 Tries to steal Mail credentials (via file / registry access) 23->51 53 Creates multiple autostart registry keys 23->53 55 Tries to harvest and steal browser information (history, passwords, etc) 23->55 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25483a164b2ab3cb283f494f2022793b99595bbf3af41b0620dcd3b0d3d612be/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 12:40:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evedufslfkz4wkb7jfhsaitzhomvsw57hl2bwbra3tj3bu6wck7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2b834fed267b4b47d6d783eb00cf7c770bbb85bdeec9fd008786fa55483cff65
AgentTesla
4a683b38bf8bcb7b198d4be37413033f2a015aaed075cbe81ba63e3190647dff
AgentTesla
5c46c800ec8a689b837f7c808b4a9bd81079b7aca9106d1a9cc45bfe2cae2db5
AgentTesla
6532e16d04ebfc98395b0e06fb2c1210d5064dc242c2c374beccb6b561a58f6f
AgentTesla
70a6380ac61f933eddc4cd126d95836371a933c5a311882701a5eaa1fd8b99f7
AgentTesla
aed18cdef3de7bb5192dec939a7b6e8989ce8a6dd1da25ae640f8f2586b29eae
AgentTesla
e19bcbf0c3ca0fe5e246cede2ef4ee264d0908faf4ca4b39aeb687c443f85f91
AgentTesla
f2b319e1d2fdad6549ad9f56894221d7c3f8706d96012316dae1b52231a46247
AgentTesla
ff22717e9029e6216a77e312cc38af5aa1df822e9c41396ac10bd192ea11952f
AgentTesla
+ 19'907 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230111-pwrh1sca76/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c5aaa469-a794-4464-9925-277c41e29c40
Unpacked files
SH256 hash:
587cd8ad276fb3f28da0337e1e8b0c8465f0f2140b8e52156006f8ddcdcf05e2
MD5 hash:
6be0c845693131031763c27ef986dde2
SHA1 hash:
5c6a4bc21da00170f403c62e6844167b1f165bc6
Link:
https://www.unpac.me/results/bba9d9bf-29c9-4510-9ea2-54e52416cda5/
SH256 hash:
f3cc1bc2cd628cd9e3659c191975713a13251f3076f782ec1edfa30e4e0384ce
MD5 hash:
193a2a799cd6bf1189d7f81677d33524
SHA1 hash:
1be4605ccebf949148840ac4f21d8e7973de5c9b
Link:
https://www.unpac.me/results/bba9d9bf-29c9-4510-9ea2-54e52416cda5/
SH256 hash:
d7565d792a50c889ff5dbcc76d754629f789ff5e1b60cb5e0d73cdb72ea3be2c
MD5 hash:
6ca33fa76bc79d261644367b29d4ea36
SHA1 hash:
3160e234ba87605126ec10d597920ab9b61feec5
Link:
https://www.unpac.me/results/bba9d9bf-29c9-4510-9ea2-54e52416cda5/
SH256 hash:
25483a164b2ab3cb283f494f2022793b99595bbf3af41b0620dcd3b0d3d612be
MD5 hash:
7416af0e6dbe13b36bdfe2e609b00666
SHA1 hash:
5958c7eb0d93510ff00241c7257d7026c207c7e8
Link:
https://www.unpac.me/results/bba9d9bf-29c9-4510-9ea2-54e52416cda5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25483a164b2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25483a164b2ab3cb283f494f2022793b99595bbf3af41b0620dcd3b0d3d612be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e61c559d005c75640aa4c96f500dbb1fab046505ecc017448736ac96690ced13

AgentTesla

Executable exe 25483a164b2ab3cb283f494f2022793b99595bbf3af41b0620dcd3b0d3d612be

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e61c559d005c75640aa4c96f500dbb1fab046505ecc017448736ac96690ced13
Cape
Cape
https://www.capesandbox.com/analysis/351923/
  
Dropped by
MD5 3e7cd1cfab54fd8ea79b7610d6baab2b

Comments