MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 425d0bddc7758bb67859382a63d7b21c37a67543c415620e3bd70f7fd68f107c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 425d0bddc7758bb67859382a63d7b21c37a67543c415620e3bd70f7fd68f107c
SHA3-384 hash: 52d1c91b2be9c69c838ff0f2ad3b7172083b8b36b40afe5d652f33b5d0563c4fcfca3f487d63e9ec276e1e53f0876c72
SHA1 hash: 52d61837bff569bb84a5ec4b9a9abf8da82e84e4
MD5 hash: 51b420f3fd2b5959eb538a378868f58b
humanhash: fish-cold-bravo-oven
File name:doc.rar.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'041'920 bytes
First seen:2021-04-09 22:18:57 UTC
Last seen:2021-04-09 22:41:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:IYZpEqAmf/mP4bMItR/18ZZrrgDPT+XI1TuS6dtUeNmLBAAa+SXXwC6VhCElP7rE:mqMUP/18DIDCRS6j/2BAAaJHB6Vp1q
Threatray 3'848 similar samples on MalwareBazaar
TLSH 2825AD80E6849690DC589B715932C9710333BDED6833DB1C29CD3E9B3BBB38A5C65993
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc.rar.exe
Verdict:
Malicious activity
Analysis date:
2021-04-09 22:22:16 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/c0e833f6-1016-42f4-8dc5-47425dfd935e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133464/
Detection(s):
SecuriteInfo.com.Variant.Bulz.349164.9461.31496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/671861
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/425d0bddc7758bb67859382a63d7b21c37a67543c415620e3bd70f7fd68f107c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 22:19:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
71
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijoqxxohowf3m6czhavghv5sdq32m5kdyqkwedr324hx7vupcb6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
25950b57e7da823878746088c89def5dce4d0ffaf6a8ebbeec6f1aa8a0667057
AgentTesla
3529f437801eed53684a28376fa14332cf44a3b8396e8473bccdb92bf2fedb25
AgentTesla
4994562a8195097940cac88cff7737d8d990189acfdc2e1bc2f0133428304593
AgentTesla
6ba09bf0b6f9ed13f6600679a0c81cc79dc1461213798b606178f3815078aedd
AgentTesla
6f96c1cc562c104cb339f346411c7b983c42ccded781115e1de67d645df9a00a
AgentTesla
8642bef0da90b39eff7e2f28570d28aa2a9aaabcd181c9f64bcfbdd331a606f1
AgentTesla
b26bfa277644c0c5eb8fa1a8bc4734131ab15100d81b2d5a1dc9aaee1fd2a23a
AgentTesla
d8a41a28c498d512310f9acfe5c44c6d22daa445d522cd53bd80bb4b2fddf2ac
AgentTesla
fc40429e1461e2cc002fdb2b131ca7eadd4f3a688a24130197667c3493213986
AgentTesla
+ 3'838 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210409-vd1c7wvef2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
2e65ce98658037bdf8945235902d4fa3f4dfc5a0a98c5b8035c72e9dfea3c6a4
MD5 hash:
1c5017f9addb605ad79d5fb110487a35
SHA1 hash:
7b03ab5733c4eb0e0ae9882eca246dc1af756745
Link:
https://www.unpac.me/results/5a020760-dd6f-4688-ad4c-83e5dc9aeaec/
SH256 hash:
456a91ababaf84f414409b11ccd8c3707b4bb960ff1ea7c2c4d0994786c10523
MD5 hash:
cade598993a134a4e693ac25936c530c
SHA1 hash:
728b2ed076c142be4d203ba84694c6892ff3c842
Link:
https://www.unpac.me/results/5a020760-dd6f-4688-ad4c-83e5dc9aeaec/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/5a020760-dd6f-4688-ad4c-83e5dc9aeaec/
SH256 hash:
425d0bddc7758bb67859382a63d7b21c37a67543c415620e3bd70f7fd68f107c
MD5 hash:
51b420f3fd2b5959eb538a378868f58b
SHA1 hash:
52d61837bff569bb84a5ec4b9a9abf8da82e84e4
Link:
https://www.unpac.me/results/5a020760-dd6f-4688-ad4c-83e5dc9aeaec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/425d0bddc7758bb67859382a63d7b21c37a67543c415620e3bd70f7fd68f107c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:dridex_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e11d91103509b25ad4bed6dcab64d4700657f32f9d38223f7cf0176934f4cf2e

AgentTesla

Executable exe 425d0bddc7758bb67859382a63d7b21c37a67543c415620e3bd70f7fd68f107c

(this sample)

  
Dropped by
MD5 3b79c48b16d376836c4737b3a6b09322
  
Dropped by
SHA256 e11d91103509b25ad4bed6dcab64d4700657f32f9d38223f7cf0176934f4cf2e
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/133464/

Comments