MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f25c5db1d1c499679b705f32ac16ce11e53b7651b1133eb97418798f6ba23764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f25c5db1d1c499679b705f32ac16ce11e53b7651b1133eb97418798f6ba23764
SHA3-384 hash: 165e8542e45c47dd3653b938d4c077dfef3f2b1c56f0a55f7731384f7c45850950c820bf644cfe4dbb7a6a5a53cc7884
SHA1 hash: 30b849318c761f307a26cdc0b05610f28db59863
MD5 hash: 4153ffc2b69bc3eab40499e8ff3df8d4
humanhash: oven-twenty-tennis-ack
File name:FedExi JÄLGIMISANDMED-pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:577'024 bytes
First seen:2021-02-11 10:08:27 UTC
Last seen:2021-02-11 11:59:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:020Zi970MtaC8nCuuNrUvhXRiC0qawmS3ZJal6MB7meSEwnL6uNBA0jn:wZK8nFuuJXoxqanSfs64meSEwnL6uNBN
Threatray 2'838 similar samples on MalwareBazaar
TLSH 06C4012A1E6CAE41D2292F3B4DB5E02563BDD9021E16C32FECB53DDC59B6FEC1480685
Reporter abuse_ch
Tags:AgentTesla EST exe FedEx geo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: serv1.qis.fr
Sending IP: 87.106.15.143
From: Marta Slowinska (FedEx) <marta.slowinska.osv@fedex.com>
Reply-To: Marta Slowinska (FedEx) <baeutyslondon@yahoo.com>
Subject: FedExi TARNIMISTEADE
Attachment: FedExi JÄLGIMISANDMED-pdf.7z (contains "FedExi JÄLGIMISANDMED-pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedExi JÄLGIMISANDMED-pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-11 10:16:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9fb70fb4-9933-47a1-919f-e3cf5f352bef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116783/
Detection(s):
SecuriteInfo.com.Artemis4153FFC2B69B.10776.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Sending a custom TCP request
Creating a process from a recently created file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605706
Signature
.NET source code contains very large array initializations
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f25c5db1d1c499679b705f32ac16ce11e53b7651b1133eb97418798f6ba23764/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 10:19:02 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jof3morysmwpg3ql4zkyfwochstw5srwejt5oludb4y625cg5sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38306ee79d194eb6353428a064ae2a54ad4ef975dfc04ff563150f2f385adf3a
AgentTesla
38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
6d3deba9b84a0196b94370ee9a1201893fcacacc6736638407d0c4b11b7995a2
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
7690575cda5195b35d188a7911f0bb879d87ec57f8124c9412c82274120c9503
AgentTesla
9b501c547c3a6220c4ce9cec44811a2637adbbd3a11a0bf11ed437fde7747410
AgentTesla
b3efff040730dd6af8c66d93e0c2bb96273051264abb10182c1c5831b5d7ffcc
AgentTesla
bee8a143562146fc38a4d02e59d2f2e280dc0a547cda9983dfde0aacdea4e99e
AgentTesla
f90cf6686fcfe69bb074cf65a5b7e19c8e97b1351377faa7a2477577d4171de8
AgentTesla
+ 2'828 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-ed7kbthy56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/2a22ecf9-1c3d-48f6-a98b-9f9f61b2d26d/
SH256 hash:
f25c5db1d1c499679b705f32ac16ce11e53b7651b1133eb97418798f6ba23764
MD5 hash:
4153ffc2b69bc3eab40499e8ff3df8d4
SHA1 hash:
30b849318c761f307a26cdc0b05610f28db59863
Link:
https://www.unpac.me/results/2a22ecf9-1c3d-48f6-a98b-9f9f61b2d26d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 391943e0960ae0db515dd318e80bc15ab6b0829a8d962e34cca2702905bd4be0

AgentTesla

Executable exe f25c5db1d1c499679b705f32ac16ce11e53b7651b1133eb97418798f6ba23764

(this sample)

  
Dropped by
MD5 b4c59112e41ad39a57dea234bc155e2b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116783/
  
Dropped by
SHA256 391943e0960ae0db515dd318e80bc15ab6b0829a8d962e34cca2702905bd4be0

Comments