MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624
SHA3-384 hash: a0efd7f8c17d2107e3733593596ecb0c8eac6f1e4e5f9b7cefaeb2b10faef2b735ae201266c1d7a06762eacb01e718b2
SHA1 hash: 5a2fe770d78c28f7b0d38013a56f3b4239b6a94a
MD5 hash: a274f97be7b1be902737ed79e06b5289
humanhash: stream-edward-foxtrot-red
File name:PO-001120230627.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:761'856 bytes
First seen:2023-09-12 09:25:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:j2iNZ1DnkGIm3bsLCteBSNnvTRs07uj9IO46h:j1pDnkTmLsLXB0B7aeOp
Threatray 5'366 similar samples on MalwareBazaar
TLSH T19FF4F19365994A9AFC2E137268774EEC0B321E3EDAF0681D289FF4274773347211691E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 13607332330b0bb3 (55 x AgentTesla, 16 x RedLineStealer, 13 x MassLogger)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO-001120230627.exe
Verdict:
Malicious activity
Analysis date:
2023-09-12 09:25:55 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/59d7e8e5-b238-456d-bbc8-9947e38c10d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448115/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65002eb0482c0b85d556e565/reports/5218ec7c-f88f-4e9a-952f-39c6299bf49d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a880e911-2ea3-4476-8ced-556d0e0ac399
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 08:08:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
17 of 23 (73.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exy64ogcjzycx5rpq2cvarxpdharrkxlxa6ueejtz5ouru4aeysa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
085c615e80911a5a93b3f1262ca71b88f81be327d2d3b594376a5b4e5533e68f
AgentTesla
1dd655c81c9df47334842272e37b501d38788f0cdedb3aa1a10ce0fd3b68ddbd
AgentTesla
4c5aafde9ec3711992c73ffeabb62dbbc2f9cd2b0d398ba7783d7890f0704af0
AgentTesla
6d731cdb770865654178d35ddd42ed30c749311de73924037707997e363e0bb0
AgentTesla
78f25ecc4d28fec2c11b821ec4a8b4a6f5cfb7ab7dde361c0a9d632b40c65a4a
AgentTesla
7ca4331b53cb649259648314c7e8eb267cfba6d16fdbc58273fd1005584f4b91
AgentTesla
8729ea2e975594942343d1407bd47345daa356b354986bbc6efe9a86fbd3ca19
AgentTesla
940452c26b4fd683f1c88746b751d4299e9b8c3fe25aa62168eca31924c17592
AgentTesla
ad641230d3be8895193642d333ed88e1d6e94c209dfcb6c1932cd6a7f324a82f
AgentTesla
d22d6e60b9dbcdd803d619a6385de359f83f1140c0c69afccc89e0b122ec60ad
AgentTesla
+ 5'356 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230912-ld69zabd2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
aaa4e7c33a44a009da6064090847f94539177ad8d7ed362e45bf8e509b8931ae
MD5 hash:
ad507ce36c650b07de503431c5840554
SHA1 hash:
b57e464bc43e000bcd3f9716ada804b8b41689f3
Link:
https://www.unpac.me/results/e1246e9d-c710-47cd-ae09-d7a7268f0978/
SH256 hash:
b289ddc60df129de7cd8213034b5dbc9e138d7ec47a74307a407a797e2dcab60
MD5 hash:
7dba2a5b3d1683a9339633216758db04
SHA1 hash:
524fe16f3b4b5cc918b86171ce550cf72573f766
Link:
https://www.unpac.me/results/e1246e9d-c710-47cd-ae09-d7a7268f0978/
SH256 hash:
a218b3f98261de21219394a63c6d09e406770752bdd37e1e5b76c89cfd34d35b
MD5 hash:
ab4e4f28e82c4f9c3ecbc43d46abbe74
SHA1 hash:
388697fed1c18bc7940103259ec224eae1562ee5
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/e1246e9d-c710-47cd-ae09-d7a7268f0978/
Parent samples :
d22d6e60b9dbcdd803d619a6385de359f83f1140c0c69afccc89e0b122ec60ad
1dd655c81c9df47334842272e37b501d38788f0cdedb3aa1a10ce0fd3b68ddbd
25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624
085c615e80911a5a93b3f1262ca71b88f81be327d2d3b594376a5b4e5533e68f
ad6ee23a2e0deb51e646bf9f0431b43186a8beb06db86b6fa20cd818802921fc
d246d03c67257d71277b24ba2c387ed4d29a25f47e814292ec97e2a219f0a836
2a7f29fe774787c8113c673d662636b7779cdb568ea460e16f840ade9b5a2350
393ad633aa2e88f596d747a007ab75fe7a3e71227d2b4281ad1b32ce7fea0ced
45e98e952c7b55d2a5d1c508bd3a7009e5c4ad2f162bdf883dc280f6997c071b
4b4f00b944e3a1da3396f3f572f4e04535e64b9111f8790b0a05c541e5d56e85
56d3b9b155d9638efda3785f3e71bf29dcf162346d5e5d5481735f53bd9e64fe
12ce7f3f07157d625b5731f16f2f395f859b58b31e7e18abaa5fe409e233661f
68f6a5d1e90ce94fbc1fb4fb8d4a809dcb4fe8af2ab66e29fbe7678672949215
c8ffc83919d2045260e70301c44ef7d5090149661d4e4f9a7a67d55aef984c68
d1f51cbb32fea7f702c71d3c742839e5ff5cdbff34e2cacbc0e4cda58ae16722
b1238fb6ea47e24b96a2582464a2fc3a9de6a3a781c35faac7fd98e974c78e1b
44ed47b1d9b377ed27d2c5541a4d1cb1e82be3e2d80750784dc476f08de5ed85
8d767518bdc0fda97fa2de2cb1ccfaf88f99bb98f5b9d3adfe625a658a37f77f
87827fe80241a3ec5bfafe80fc4f7a3dba26f016ed2d3f61963140532f4c27fa
7d9ffe4901d60bd70a17d7b507820f79f67ce33ed933bc6c109fdb1096429570
5a2c73516c221e21e5fb720078cef912600499b036109ca6975588d993a1cbea
2dc33327459addedb7432844f2fb7f77f971c7b50542b77d7343c7b205b8d9f9
0df07d743d2b9a725f075819ce9aba1e2139494ba3c97c1d7a38936c2d6012bf
4ac2605c528602e4762b48ea363f41702341d183d311b292824d66545f28d2c2
SH256 hash:
784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80
MD5 hash:
5caf74e6818e40e82651781613a42425
SHA1 hash:
2a182b1552373e0907bfd03db31120596df994d0
Link:
https://www.unpac.me/results/e1246e9d-c710-47cd-ae09-d7a7268f0978/
SH256 hash:
25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624
MD5 hash:
a274f97be7b1be902737ed79e06b5289
SHA1 hash:
5a2fe770d78c28f7b0d38013a56f3b4239b6a94a
Link:
https://www.unpac.me/results/e1246e9d-c710-47cd-ae09-d7a7268f0978/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25f1ee38c24e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:MSIL_SUSP_OBFUSC_XorStringsNet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:msil_susp_obf_xorstringsnet
Create hunting rule
Author:dr4k0nia
Description:Detects XorStringsNET string encryption, and other obfuscators derived from it
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 25f1ee38c24e702bf62f86855046ef19c118aaebb83d421133cf5d48d3802624

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448115/

Comments