MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642
SHA3-384 hash: af35ee0c6aa34397eb840dfa97ab114b116a911be274e5d8b973ee8865b5ed119b665c60fec2654153a00f5f57235900
SHA1 hash: 7fa32edcb89c7c5b7395a4a20a21f919f3520fe4
MD5 hash: b3bdbeaa851773087ce7c17e173340cd
humanhash: ohio-social-michigan-jersey
File name:file
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'814'464 bytes
First seen:2023-03-14 15:55:45 UTC
Last seen:2023-03-14 17:28:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:xlfqi8gLH+tLuddxAxqIaFymX+NY4jbT:
Threatray 3 similar samples on MalwareBazaar
TLSH T129D58CB22297FECCE76F2D74D0242A409C205D67666C9248FDCA298F43E52A4DF5D6F0
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e2ee8a8eb6d8ecf4 (56 x AgentTesla, 39 x RemcosRAT, 38 x GuLoader)
Reporter jstrosch
Tags:.NET AgentTesla exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-14 15:57:28 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/f8091352-b365-443d-a105-7873010f153d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374290/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.71663.5620.8576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Creating a file in the %temp% directory
Creating a file
Creating a window
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  0/10
Confidence:
83%
Tags:
greyware
Link:
https://www.filescan.io/uploads/64109919935ba6703eab0fb4/reports/77c9a351-ab11-4cd8-a754-cb450286983a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5e2ced8-7e22-48be-9067-6a0643fd4f3b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1193470
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 826389 Sample: file.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 75 smtp.dcmshiram.com 2->75 77 us2.smtp.mailhostbox.com 2->77 79 2 other IPs or domains 2->79 91 Snort IDS alert for network traffic 2->91 93 Antivirus detection for URL or domain 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 3 other signatures 2->97 9 file.exe 4 7 2->9         started        13 BESTFILE2.exe 2->13         started        15 BESTFILE2.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 69 C:\Users\user\AppData\Local\BESTFILE2.exe, PE32 9->69 dropped 71 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->71 dropped 73 C:\Users\...\BESTFILE2.exe:Zone.Identifier, ASCII 9->73 dropped 117 Encrypted powershell cmdline option found 9->117 119 Creates multiple autostart registry keys 9->119 121 Writes to foreign memory regions 9->121 19 InstallUtil.exe 1 4 9->19         started        22 cmd.exe 1 9->22         started        25 AcroRd32.exe 37 9->25         started        37 2 other processes 9->37 123 Multi AV Scanner detection for dropped file 13->123 125 Allocates memory in foreign processes 13->125 127 Injects a PE file into a foreign processes 13->127 27 InstallUtil.exe 13->27         started        29 powershell.exe 13->29         started        31 powershell.exe 15->31         started        33 conhost.exe 17->33         started        35 conhost.exe 17->35         started        signatures6 process7 file8 63 C:\Users\user\...\._cache_InstallUtil.exe, PE32 19->63 dropped 65 C:\ProgramData\Synaptics\Synaptics.exe, PE32 19->65 dropped 39 ._cache_InstallUtil.exe 15 7 19->39         started        43 Synaptics.exe 19->43         started        99 Encrypted powershell cmdline option found 22->99 57 2 other processes 22->57 45 RdrCEF.exe 25->45         started        67 C:\Users\user\...\._cache_InstallUtil.exe, PE32 27->67 dropped 101 Creates multiple autostart registry keys 27->101 47 ._cache_InstallUtil.exe 27->47         started        49 Synaptics.exe 27->49         started        51 conhost.exe 29->51         started        53 conhost.exe 31->53         started        55 conhost.exe 37->55         started        signatures9 process10 dnsIp11 81 208.91.199.224, 49711, 49714, 49715 PUBLIC-DOMAIN-REGISTRYUS United States 39->81 83 smtp.dcmshiram.com 39->83 89 3 other IPs or domains 39->89 103 Antivirus detection for dropped file 39->103 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->105 107 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 39->107 115 2 other signatures 39->115 59 conhost.exe 43->59         started        85 192.168.2.1 unknown unknown 45->85 87 api.ipify.org 47->87 109 May check the online IP address of the machine 47->109 111 Machine Learning detection for dropped file 47->111 113 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 47->113 61 conhost.exe 49->61         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-03-14 15:56:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evqfkj7sb5otlnqprzz72fg5xszxn6casydpnex26nozyhbzyzba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f8f13f0de6057e4ce3f86db22451d28d0ad9ee6cf852eb5ca24adbefe619c86
AgentTesla
566141727e92dadbcf6a8b423760c56c39d19794bbe11eb46b3a1f9f6e9cc8f2
AgentTesla
a8d22d7ca681510340d5b23b4d2bba492622bdf3052a3cb0a996f1e2e25436aa
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230314-tdcpcsgd26/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
ff8c24bce1eb009f0d5c47a09b96caf02726c285cea0d635082ad4da27e63d1b
MD5 hash:
9d6ec6072ee1814a4a01d1eb3fb67ba1
SHA1 hash:
d0b416de1c900b6bcb35dc182b2e8744f16c3289
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
370f89deb930699984f45ed240dd843fda54397cc602428a894cabff59a2026f
MD5 hash:
ad0b3e594d6a513777ba780ced0a4749
SHA1 hash:
c3261f49a8ba0230c95143c7e228a10310c39b5c
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
4fa3aac9534a1af495886f1b57dfb1f43a9cd319db9e5972b0655137a58fc9de
MD5 hash:
fcd7deee9fbf7c091a54b8d5578d40a1
SHA1 hash:
9801f7179d15919ad46c96c31784d894303c85d5
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
d6e217e6d822b7db300fbd2df88de22ba5826a9b977b317904abdd40376cf54b
MD5 hash:
d74f563f4dc5fa8078f14d6a6d3b6dc4
SHA1 hash:
7f30956ff7830f46f6235865ddb2d3b30801719e
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
df2f4669a2db02a1a0d1e350cc63369fb77f3d7abe4868ec79e60e21eb909968
MD5 hash:
6b4d4deab3f5e7403ff308b33eea91d7
SHA1 hash:
3c7481d30bb51e14472d3d63ccc695843ab6cc7b
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
b504c57268a64742509ddc834c51848b8a385d6fdf26a498602a75d63a77b0c1
MD5 hash:
cfad886b6619f490ae4d1fef64a851aa
SHA1 hash:
0fe48513529761696ed50aaefb4317bb672166e4
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
SH256 hash:
25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642
MD5 hash:
b3bdbeaa851773087ce7c17e173340cd
SHA1 hash:
7fa32edcb89c7c5b7395a4a20a21f919f3520fe4
Link:
https://www.unpac.me/results/3f00c8fd-c736-411e-828b-c79ef549195d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25605527f20f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374290/

Comments