MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0
SHA3-384 hash: 849df358703dc99150de1b3c60b7b881d3339957102f971123cb46a86969408f6ca72016461a787340f45a8eb1c643a4
SHA1 hash: 3c46e03be40d1afdf5fa04177f9bf80bd3ffc6d6
MD5 hash: 2c57cbf2f6b090bb6317d22ab80bfbd9
humanhash: bulldog-georgia-oven-cat
File name:PO.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:750'592 bytes
First seen:2020-09-14 19:25:58 UTC
Last seen:2020-09-14 19:53:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 471772127a33258cfe3f224966954ae7 (5 x AgentTesla, 5 x MassLogger)
ssdeep 12288:hoRXFO85PEKTm9NFDemwzuV59YZVDYH+gTy6hfsne17tdpL87:h2c85Pm9NFDSuJeOb+ne17C
Threatray 1'516 similar samples on MalwareBazaar
TLSH 1CF49D22B2E05837D1B316385C2BA7B4AD36BE303D2499463BF4DD4C4E396913A79397
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/59557/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Sending a UDP request
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/465798
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 09:46:25 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ex3dqugjf6xoqhvo6tp46uyklzzgrfmx2drlqoz6irhgu3j4ztqa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
05793491a0160fba57cf1219dd69f0c49a1fd9a43cafe0f78590c1e526f298c6
AgentTesla
0a056539785f34859694bf0e1c074ddaa5c89b1c8c89ea99f00b7ab4f84c9215
AgentTesla
165a1197676a6b92b0086bbdb79a3b615c83ec9d686449b934c4475905608b2a
AgentTesla
28af2ba9b0384e3d4f9754ee8a62bb812c9a4d39bad72a56c38e75b38578537c
AgentTesla
5557f195ef620465126e6107f0b9f470c7f5771e7824fb5ee1e22efb70010124
AgentTesla
773844817fe0b8a1de69cd9c2960415754ae54b9b2df41c1fb3580ab8441e385
AgentTesla
9dd55f94cfb65ea2fb33a405e11c2c11a2aad46b113098012e7ead8e6e230a32
AgentTesla
b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925
AgentTesla
d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c
AgentTesla
fc42c9f7177a8f1825e8ab9f391e37cb7e55c34116849e9253a78d4d089d08a2
AgentTesla
+ 1'506 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200914-w83hmww37e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 9751102a45867f2bf42c69dc2e61e3843954e705252fc2856093f418e74b7148

AgentTesla

Executable exe 25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9751102a45867f2bf42c69dc2e61e3843954e705252fc2856093f418e74b7148
Cape
Cape
https://www.capesandbox.com/analysis/59557/

Comments