MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5
SHA3-384 hash: 7417e16d1354bee4e3fb6a98e5b16583879578c3975dc394ad62c4c60b2377ca30ab5b093b72435aad807840c03cb34f
SHA1 hash: 3a5c5285262f0d10fff8756fc071b139da23e803
MD5 hash: e7bc7eb1caff2058f727a39eff9247e3
humanhash: autumn-avocado-friend-massachusetts
File name:25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5
Download: download sample
Signature AgentTesla
Create hunting rule
File size:458'240 bytes
First seen:2023-09-07 13:24:42 UTC
Last seen:2023-11-09 12:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:iDuSNJA7yfJo1mJxRHHE6mRsc9gC8NLhPtD6IA1:iDuSNJA7yfJYOW
Threatray 5'602 similar samples on MalwareBazaar
TLSH T1A9A4F813BE44DB11D2987D3BC2DF6D1803B1ADC34633920BAF48BA6269716532D6E76C
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f0f2b2e834b498 (29 x AgentTesla, 12 x AveMariaRAT, 8 x RedLineStealer)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5
Verdict:
Malicious activity
Analysis date:
2023-09-07 13:25:49 UTC
Tags:
agenttesla stealer
Link:
https://app.any.run/tasks/64234572-20af-4ae0-9ae2-f62c30c53ef7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447166/
Detection(s):
Win.Packed.Generic-10003641-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Sending an HTTP GET request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware hacktool lolbin packed packed replace
Link:
https://www.filescan.io/uploads/64f9cf302a262962b79690da/reports/a4369496-e0f4-4a5f-bd29-3d2fa3b8c727/overview
Verdict:
Malicious
Labled as:
Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fdd795bf-b74f-4c72-a41b-daadedbe739d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1305343
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305343 Sample: 3Tzm9pGIDj.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 5 fCVSa.exe 14 2 2->5         started        9 3Tzm9pGIDj.exe 17 5 2->9         started        12 fCVSa.exe 2 2->12         started        process3 dnsIp4 18 173.231.16.76, 443, 49730 WEBNXUS United States 5->18 20 api.ipify.org 5->20 38 Antivirus detection for dropped file 5->38 40 Multi AV Scanner detection for dropped file 5->40 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 5->42 44 Machine Learning detection for dropped file 5->44 22 mail.unitechautomations.com 192.185.129.60, 49727, 49731, 49736 UNIFIEDLAYER-AS-1US United States 9->22 24 api4.ipify.org 64.185.227.156, 443, 49726, 49732 WEBNXUS United States 9->24 28 3 other IPs or domains 9->28 14 C:\Users\user\AppData\Roaming\...\fCVSa.exe, PE32 9->14 dropped 16 C:\Users\user\...\fCVSa.exe:Zone.Identifier, ASCII 9->16 dropped 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->46 48 May check the online IP address of the machine 9->48 50 Tries to steal Mail credentials (via file / registry access) 9->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->52 26 api.ipify.org 12->26 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 file5 signatures6
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-07 13:25:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ex2fl6jw7oednm3dna6ebe4wzyzyw2ryxew2bdv6pn2efptrb62q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
332bd128b3b9a33e9d363b6a9578739d94471de4fe26d931bcff80219fcf4e9a
AgentTesla
36c15da245c3b9a2bc01bf408f5d9ee73f484d9a010a41a09a8ddf552eed7dc1
AgentTesla
45bdec922b686dc1a2cce49548dd152185bbd961f73d7f166740f5bde455e04f
AgentTesla
478d51fa24c69ccaa66567cbcdf3105f7c302bbba2b88db7cfee19fe84acf64f
AgentTesla
6eddba1588ba6d7183a7940a9974cc188c5473a5087f6853dc40c48df726d598
AgentTesla
8d83bca79f2bc2c8de276322813a9d775891c8445191f196c302f0965ba62ba3
AgentTesla
9357718e3aaeef225d04c8f1d8fde88bd210fff3c1205ee84c0c1f7327bd17f3
AgentTesla
ac10ca617baa3ad65badaed406b424473517cbffe025e5356b64962adc40c8f0
AgentTesla
b964fd0b9facd76d7dd84b3491df66d51c5e95fd4385f47afd9764a72ebb939e
AgentTesla
d001e62f6bb0d2962a91f42ea0f926c941469af16f5df7da0cdf66eac3625da5
AgentTesla
+ 5'592 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230907-qnx69saa3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5
MD5 hash:
e7bc7eb1caff2058f727a39eff9247e3
SHA1 hash:
3a5c5285262f0d10fff8756fc071b139da23e803
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/b4217833-27ee-48a0-abcf-8c77551cf897/
Parent samples :
25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5
c22334a30489c310ccebd2eb69b289bf3f01461a72a4da146a59cdaa06283e04
e6b297fc5effcaa65ed935f78e8b663257f447a9f569c4da0411854fe28a75e7
c1d57ced264a612aa7069940bd8bc2ad9b1b5d66cf8258ed58027b6101d60e28
ec782c6c9788c784234f2bf815b0a2774d55e5a08d42aac4ddc79f8710b4d469
d228edad00c7342f36732017beec3c7ea9057b6ff8c527198ab29d9eefcee645
7eaae233b18c778b06506f210e3c6f3076bcd1957930b3ced131749683d05703
71357accda25349b67f991641c8e64697016e6ca4046602dca0c7ca253ad582f
1e1a3828028401c6052fd951935347159121c19c01e7dc47fa2d4620a60c720d
f1a6e53beb7e03091a732ba8d1093eb5162dd620c85f7ee44bdc6efe25c3c853
6398b922ae61c54c8ccc93725d584c8e3f0c3005716cd21fd63fb79e3bc78836
4e9869213e582a8e92d9404c2d74019b550c4363c5855bb6d8a6698a417bc64c
f90d6b1d57aa25effd10bfff611d754196e2244df30a2da41a2ba56eed8d9bad
47fc622827b4898f1fd2735731f6d8c03ba59f65c81411233d4844211749262e
5f934b9c66294466761558a608c02f2d3f73dc5a05a63bb52a5e0e1b0a9a173a
eb0c9f7ff7106033740df49533023ab8c93304ec66c76496dde0aab528a7472a
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25f455f936fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/25f455f936fb8836b363683c409396ce338b6a38b92da08ebe7b7442be710fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447166/

Comments