MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5825a5314c16572842efbbd60be63080616693d2aee66a379f70c54c09e2ee94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5825a5314c16572842efbbd60be63080616693d2aee66a379f70c54c09e2ee94
SHA3-384 hash: 6cef665a23031be01370f605e83800503da1f59dbed9bad9996657e517f0bc887226a6b1c0d9797d491f0371d022ea10
SHA1 hash: 1287d517650ee77a1feecad3d44211e8bb9583c9
MD5 hash: 120a53a6b152cf6ced8ed708b2f2a033
humanhash: social-nitrogen-georgia-winter
File name:120a53a6b152cf6ced8ed708b2f2a033.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:590'848 bytes
First seen:2020-11-19 09:14:22 UTC
Last seen:2020-11-21 06:12:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:OR1bC2wpJYF6xNxbFhAL9xpaUHfAkTxKLlmRR6tvk+T:gXSX7mpaUHYeKBW4tvk
Threatray 1'399 similar samples on MalwareBazaar
TLSH DBC4238B932C8678DB5A13BA9420540D02FBBDC56102F7D9DB4D606D22F3FBA7A09573
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla C2:
http://192.210.214.146/webpanel-majorboy1/inc/8d7b442291cce3.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/542596
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5825a5314c16572842efbbd60be63080616693d2aee66a379f70c54c09e2ee94/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 09:15:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=las2kmkmczlsqqxpxplaxzrqqbqwne6sv3tgun47odcuycpc52ka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01eea9d80166f57f6fe65ac47695ffc74bac20e1de4743d44dbcc834e88fb7a4
AgentTesla
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
1c235e2b6c4cae6f90ac0ad89a690e0cd2f63e1151274f30e2cf3487da0b7eee
AgentTesla
219a107d944dc880a18d48ac5f9627f68107289376ec2dc2ada387f0f371b1e8
AgentTesla
24098778dca36a5ff9aa4ce38ab0bd9cdecfd3a8dc3f563e694111003d6f7827
AgentTesla
554572aa51eb6a3ab4e1bb61511102574ab1bf2964560e5f7463120c368ff30a
AgentTesla
69802a718d5caaf3e8c9e319eb703dcfa34971d9f79f9b8135b722a0cf12c74b
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
b39379ebe05246822743fa8343c14aa40d04c0496dbd43c666e5de7f8af4eb71
AgentTesla
c1e775844ae65d163fef7ec92e2d48ab4fd36ec5412999a5cba1c85ef0edd105
AgentTesla
+ 1'389 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201119-nh34a2jv9j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
5825a5314c16572842efbbd60be63080616693d2aee66a379f70c54c09e2ee94
MD5 hash:
120a53a6b152cf6ced8ed708b2f2a033
SHA1 hash:
1287d517650ee77a1feecad3d44211e8bb9583c9
Link:
https://www.unpac.me/results/139aab5c-12a2-4eb6-8889-2f333dbd1988/
SH256 hash:
173d8042afda1267aad0777d279e893c489fa2df0bb688cfdd3b575a545f1698
MD5 hash:
f2b96f2975ab50897dc8efba5d4ccae2
SHA1 hash:
7599b2c4ecc2d4837dfd928c356a39cce60e7da4
Link:
https://www.unpac.me/results/139aab5c-12a2-4eb6-8889-2f333dbd1988/
SH256 hash:
6545184be5a3a8484f961bd6544bab68bfc10919971bd33545350a6f15ff4e72
MD5 hash:
9940408a3b26b8b777106a23c7925615
SHA1 hash:
8293bbf2a23ff1d4fdca1b838d0acac64788711d
Link:
https://www.unpac.me/results/139aab5c-12a2-4eb6-8889-2f333dbd1988/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 5825a5314c16572842efbbd60be63080616693d2aee66a379f70c54c09e2ee94

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/807238/
  
Delivery method
Distributed via web download

Comments