MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25dc175eba82b0e5f1438cfcf929a5ecfdaebe46453c97a08d20f1c762fcb92f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	25dc175eba82b0e5f1438cfcf929a5ecfdaebe46453c97a08d20f1c762fcb92f
SHA3-384 hash:	11940d6177854b5e730ae161284df085808826645717cb865ec2198e7b27e57cad5e504736fc82d4bb22d4db665b1c59
SHA1 hash:	18f8cb77d57f3b1700c8f0d74af349f02d854663
MD5 hash:	5ade04d7e67135f7856bfd1a6b3b0ac4
humanhash:	texas-hawaii-uncle-moon
File name:	000000980000invo.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	474'624 bytes
First seen:	2020-08-04 13:24:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:7+EAXVJ0IfqYGQzdcLO41zBykypul0M2:KEAlJbfqYG7LOqyDpu7
Threatray	10'667 similar samples on MalwareBazaar
TLSH	60A4BF02F25C9A6AD9231439CCB7B52723776A6F9702C30B905976EF25633DA0173E4B
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: somosindustria.com
Sending IP: 45.137.22.52
From: sales <sales@somosindustria.com>
Subject: Factura/Por favor reconfirme sus datos bancarios
Attachment: 000000980000invo.z (contains "000000980000invo.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/38714/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/409465

Signature

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: RegAsm connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/25dc175eba82b0e5f1438cfcf929a5ecfdaebe46453c97a08d20f1c762fcb92f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-04 13:26:08 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=exoboxv2qkyol4kdrt6psknf5t625psgiu6jpienedy4oyx4xexq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

55e93e43efaeb600deafd813f7eef356e836904b0d83e545dc47b3ed0078316b

AgentTesla

6fa3a8b31b5aa450afc06a2a08149af42ef62ae7be55d93db25ec2c3e3edb93f

AgentTesla

781a56527b7273e5936047b5646c62d2ce6e3b4e24af696d75720caf764dfcb0

AgentTesla

7b668bf6740289b2750a497800467fcf725fb111071e3ea4e74153e5159a3aef

AgentTesla

90fc295b535c006ac6488b5a80d75e34af4ddf022731055cf973eb28996ee945

AgentTesla

9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37

AgentTesla

af4614a203bf30b1a7d9cd1f3eb86ea531dd2f15849a69fd8df3f0502f58e4e1

AgentTesla

bd8868cb1bd0343570335de12034c90e20a8287132f4444ada491a00a6d0ed5b

AgentTesla

f4540704d5523550479941871d2af08967a64523fe1110f90a37bbd85e935f49

AgentTesla

+ 10'657 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer trojan spyware family:agenttesla

Link:

https://tria.ge/reports/200804-y7rvw6hkhe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/25dc175eba82b0e5f1438cfcf929a5ecfdaebe46453c97a08d20f1c762fcb92f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar