MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 325054c4115a1fdb6ffbe48536d8e54afcf6c1ae974d5afdb79d6646769f436e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 325054c4115a1fdb6ffbe48536d8e54afcf6c1ae974d5afdb79d6646769f436e
SHA3-384 hash: 7c20427099d1e36d7a0237db522d543076169356f9ec866f426af6bc98188b41e13b6194eb0431d5f024f8cc40039adf
SHA1 hash: 6381aa935efd4b7a0e79aba630ca6ba728592a43
MD5 hash: b7119b7b2f4b613f44a7a51771ff7d70
humanhash: louisiana-purple-blue-solar
File name:SecuriteInfo.com.Win64.TrojanX-gen.26182.14183
Download: download sample
Signature AgentTesla
Create hunting rule
File size:179'200 bytes
First seen:2023-08-09 11:39:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:he/BQt+uZj3ViIisLk35bQzQ95snIIIIIIIIIZnIII2nIIIZnIIINsHIIILHIIIu:8p21ZjhGIBOrPaOYdSkjiRNqOP3l
Threatray 5'511 similar samples on MalwareBazaar
TLSH T14604BB74A1F26AC9F896CEB29E61E609FFE70C819A41421FD17439F61233B84C6451FE
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win64.TrojanX-gen.26182.14183
Verdict:
Malicious activity
Analysis date:
2023-08-09 14:45:43 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/66867b8f-d86b-4353-97d7-91ad9491c995

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441602/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.26182.14183.UNOFFICIAL
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuserex packed packed
Link:
https://www.filescan.io/uploads/64d37b152a1db2a88ac44657/reports/5a8c2194-2560-4e71-8c14-29917995fd1b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/325054c4115a1fdb6ffbe48536d8e54afcf6c1ae974d5afdb79d6646769f436e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ae246a8-ca6b-495c-9f5e-e2f2eaf83220
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1288492
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/325054c4115a1fdb6ffbe48536d8e54afcf6c1ae974d5afdb79d6646769f436e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-09 11:27:02 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
18
AV detection:
11 of 37 (29.73%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjifjrarlip5w3734sctnwhfjl6pnqnos5gvv7nxtvtem5u7inxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
185bc84b981c40e78829c220a28b4e7c431c2eefbac90d335b4a354986fa94de
AgentTesla
449947dedfa89870f0f4d5dc86edc66c4656a6f94504167bbe4f803cd5c16076
AgentTesla
6a3bc2efcecdd25c5257e19e630b5785dc9e8ebb259773d40d2fc4c19e377285
AgentTesla
83486e9c90423ff3dcd923817140140c22f5e77a84f87cf5301bba30453f5172
AgentTesla
95dede01a7a7b3f131f9c452a454917edc72c9a7cfb8b22a2561acf8441128cf
AgentTesla
a59cb21201fa989ccc0c958f5dda1cf74688c17c6833a24ee160643d48f4345b
AgentTesla
af73b666c551961360880e9d82c7fd14d9d3e41ef446e4199a0a5e82812a9a56
AgentTesla
b884c2251b7291036331d340c2ec96842d198e858cf1e8cbca7b80bf95a75727
AgentTesla
c2e1339f4e84b13995199131887d14b7584f507215d55a6901c217ef2e97bc46
AgentTesla
fa205475200b1905390d87e73c2eda671794af72b57fa0f5b86eb554c4c2ae72
AgentTesla
+ 5'501 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230809-nscp1sah53/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
325054c4115a1fdb6ffbe48536d8e54afcf6c1ae974d5afdb79d6646769f436e
MD5 hash:
b7119b7b2f4b613f44a7a51771ff7d70
SHA1 hash:
6381aa935efd4b7a0e79aba630ca6ba728592a43
Link:
https://www.unpac.me/results/92a15d14-d8a0-470b-93d0-aba03490afc9/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/325054c4115a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/325054c4115a1fdb6ffbe48536d8e54afcf6c1ae974d5afdb79d6646769f436e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441602/

Comments