MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770
SHA3-384 hash: 6e3f5c3643a3e1473384b984a965d998ddf01cbc79d958327cd4e96b1075b0b69fb7761a30418675e7a168918664f10b
SHA1 hash: f5962743cb0fd54233fb46de3db0275c69db4f37
MD5 hash: e4a4bff8c862d1506f4d6f3a7075b102
humanhash: johnny-thirteen-twenty-east
File name:25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770
Download: download sample
Signature AgentTesla
Create hunting rule
File size:905'216 bytes
First seen:2023-05-10 10:21:58 UTC
Last seen:2023-05-13 22:41:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:PXlj+8Ff1fX4M0A87/vX1EXeu60t6uQnwXdRETcKYO9Bx+X8Ui0p73X+Yw9qZetk:vc8Tf+AyseuN6Xnwnm6OrxtUiy+Y40z
Threatray 1'124 similar samples on MalwareBazaar
TLSH T19E15373C19BDE22BD1B8C7A58FD18427F790A46B3115EEE5ACD64391432AE1235C723E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770
Verdict:
Malicious activity
Analysis date:
2023-05-10 10:18:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f64597dd-1bda-463a-9117-2ea4e0c40ace

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388123/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/645b704c8399e8849cbcc007/reports/ab1c79ae-2de2-45bb-8bc4-1f5aaa9d1bff/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f859cce8-6946-4ef3-bdfb-25f77d349675
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229923
Signature
Antivirus detection for URL or domain
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 00:06:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 37 (64.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ex3nmffs63y46wzhenjex2a2nltpdv43einwfy5t2bo4pgumu5ya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
251ca0215e976403d529fba60bd67ca614a3e6b18a7f2420c64acbf31400ed7c
AgentTesla
6118fb1f75058c3bd77040399fad44126181a9b131396a4f1ab7e6622c826dda
AgentTesla
cda82f06b8f05c60f37924977b2f27bb87ccc6d4d5b8f5a0416e588345c3d162
AgentTesla
+ 1'114 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230510-md8cpsfd86/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
25b5bbd28776c62e79eebd5ded8631d60339e988ee6e369084a0871ac9dc5141
MD5 hash:
9c2490a70fda3e2e6287e538344c6fa6
SHA1 hash:
f77d124510b239b18f614d08c36cbee039ce2906
Link:
https://www.unpac.me/results/18a46bbd-723e-4c08-aee2-f5fa479c5ae1/
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/18a46bbd-723e-4c08-aee2-f5fa479c5ae1/
SH256 hash:
58d2780bac07a53fa9ef0099c386ad23c2c5b83df99e18bbcca9895f829ef5d8
MD5 hash:
3a6ac846fbf56df68c3cb61cd18c7623
SHA1 hash:
e5b7f4e47b357f330b33330663ff5739a02d442f
Link:
https://www.unpac.me/results/18a46bbd-723e-4c08-aee2-f5fa479c5ae1/
SH256 hash:
87d82d63be5a78b054ea4750731231966552a8b27ebde0489a6b52b5a67a14b6
MD5 hash:
863eab011dbb2b1e478169b916acc216
SHA1 hash:
df1232b40ba67106899b74f7a1912f72885bfc19
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/18a46bbd-723e-4c08-aee2-f5fa479c5ae1/
Parent samples :
514be543f4e307be6133a891b83720ec896a19fb44a57cf3df0b9717848fc040
7c7c175dfa9da91a269d895d032e23574102163d9b6a37d4969f16e54dca120d
6d7877be905049d2f5a8716b8e778ab4e32f4ee52e1496afa1c6e8bb8dd5ff49
90fb63402e42d02695cf388e248f6001e7ac20242837387df1fa8757c827cad7
135e204ebe9c5fc699eeb7cdb425d2bf184ccbe5a092bf792bc6be37d865c7fa
25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770
5a925dd08badf3436cb55fc88cf7cbea994d3a02f7b3fe2d5d476846dc70fe83
611dad2e5706b08c8c13bf36b1b343258f4ff4182da5755de5f690d51a84bbb9
dd97e442a5d58e6c58f21d6ab84a80dd0b111ddbfbd7ab7feed758dac15eebad
817bd982ca96a349552017122eab3db9f948bdabe4fad431145085e10ded2a9d
156edd0a9601b7c286fc43e7726662bd7ff72ab0cf0ddb6a229683359008c823
SH256 hash:
6f6774e399ae21ff90691dc37e2c65f5a8c5ddbfde4ffe1266d2c0f61b929a3b
MD5 hash:
66100a7646bbe7b6f78565c04941fd8b
SHA1 hash:
79a6084f4e04d3757dd127879de0c1785e818d2f
Link:
https://www.unpac.me/results/18a46bbd-723e-4c08-aee2-f5fa479c5ae1/
SH256 hash:
25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770
MD5 hash:
e4a4bff8c862d1506f4d6f3a7075b102
SHA1 hash:
f5962743cb0fd54233fb46de3db0275c69db4f37
Link:
https://www.unpac.me/results/18a46bbd-723e-4c08-aee2-f5fa479c5ae1/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25f6d614b2f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/25f6d614b2f6f1cf5b2723524be81a6ae6f1d79b221b62e3b3d05dc79a8ca770

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388123/

Comments