MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761
SHA3-384 hash: 0c82c49e499815031b697da7f643b7647256889ce533057aec1f01ecdd85795f8e8cab79a6e14e8125d3e557833dcf5a
SHA1 hash: 93b2e94b2e0b6358d030523b499577c2f5f25c25
MD5 hash: b9eb774a01e2fb7a1ebfb0677588be3d
humanhash: dakota-fourteen-georgia-cup
File name:100765 00003300795687.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:712'704 bytes
First seen:2024-04-30 07:12:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:s2iNzeWFm+GMPbg/ael5Em48rnmyHBIkXfxDuaveNm10:s1tRFm+lYawtrmsak5DRmA
Threatray 1'354 similar samples on MalwareBazaar
TLSH T15BE4224013C80F35D6BD5FF61954610217F7BA23DAA5EB3A8EE0A0DF126A7901B25BC7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761.exe
Verdict:
Malicious activity
Analysis date:
2024-04-30 07:14:57 UTC
Tags:
agenttesla stealer evasion ftp exfiltration
Link:
https://app.any.run/tasks/9f1d3485-69ed-4ffc-a35c-2a55296521aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66309a05d2fc149e4128c723/reports/6497be60-7933-4a8c-a6fd-ed57cdfc9458/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d33cf47-28f5-4195-846d-b16bf384d80c
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1433899
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433899 Sample: 100765  00003300795687.exe Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 20 ftp.indra-precision.co.th 2->20 22 ip-api.com 2->22 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 14 other signatures 2->44 7 100765  00003300795687.exe 15 2 2->7         started        11 chrome.exe 1 2->11         started        13 chrome.exe 2->13         started        signatures3 process4 dnsIp5 24 ftp.indra-precision.co.th 61.19.247.49, 21, 49736 CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH Thailand 7->24 26 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 7->26 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->46 48 Tries to steal Mail credentials (via file / registry access) 7->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->50 52 2 other signatures 7->52 28 192.168.2.4, 138, 21, 443 unknown unknown 11->28 30 239.255.255.250 unknown Reserved 11->30 15 chrome.exe 11->15         started        18 chrome.exe 13->18         started        signatures6 process7 dnsIp8 32 www.google.com 142.250.191.100, 443, 49740, 49741 GOOGLEUS United States 15->32 34 plus.l.google.com 142.250.191.206, 443, 49750 GOOGLEUS United States 15->34 36 apis.google.com 15->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-04-30 07:13:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmk7mqamy3qk2rp42rfyqgqx53uor2jwet6lz2f4zqvqtdoxi5qq._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
0a99db14d49955334e10fe81245fd1f155f4308b6392c17282dbdf7ac2255e12
AgentTesla
0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761
AgentTesla
5d2b78785f719fda04cda095b4dfb75d00440fc39ab6e52d176a74786541bdaf
AgentTesla
e0581b57a7e87e38a5a0ebf8861f816a415bdcb037111f32ba4bdbdc78ca9be3
AgentTesla
+ 1'344 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240430-h13crafb59/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4909093c1045073940daf73778f88ce3e5d4dcbc0d69e3498ad4672c2e699013
MD5 hash:
28b43a10958caef0465f7b93be0a0d77
SHA1 hash:
9c85c1cb7f6face0a6c8d0a2d2314a99092d6554
Link:
https://www.unpac.me/results/7789814d-b901-4d3e-80d6-d993fdd4418d/
SH256 hash:
d3a6184324ed5adec6e3923070f4651d88aefdc04c208a76e1b414fa19acedcb
MD5 hash:
8d6575c853db9d9224dfe6e35d394a7c
SHA1 hash:
7a1190a07a5e4af7d12e6855646a8e1cf6e37b83
Link:
https://www.unpac.me/results/7789814d-b901-4d3e-80d6-d993fdd4418d/
SH256 hash:
7d592a5fc2662373b0200e5590cb1eeb8f00a1061af1657e476113d2134cd2a6
MD5 hash:
bc900e3fc47830420d713c1e33cbed15
SHA1 hash:
1e0241627fc669541a25d2dba5a48b43ec1718fe
Link:
https://www.unpac.me/results/7789814d-b901-4d3e-80d6-d993fdd4418d/
SH256 hash:
da30bf757502c648431b34b93bd7cb8849b392e17ed49431eed6a7fe765c0d10
MD5 hash:
896b25a0f1453b003ea3b92b54f3f41a
SHA1 hash:
1b55a6d962e48a7daab3f94f0b941a4afd9d5979
Detections:
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/7789814d-b901-4d3e-80d6-d993fdd4418d/
Parent samples :
8ae053d9300b897c0009559407842f893ca81461f707172cc42a324436839a56
fc87539e22a02272651741ae48f23ce39f83be4f282cf923f22d3aa58500d76b
d1eb3ca7fba3768f873fc91d8f07274c89de6e32fe3ba4db03ecf0bfb9902e00
53c30e1c286111c4905f6b29f0afb1bf13502396e0bf16dfdd855ba50503035f
0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761
7272f79a79bfd4f0b7e12df28634268629f43a8c4d22032eb645e659fc11ce9c
fadc22fe0e28fa270ba4955bcc97cf48f86a03c63645fe0c815ffe59cf3c3029
SH256 hash:
0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761
MD5 hash:
b9eb774a01e2fb7a1ebfb0677588be3d
SHA1 hash:
93b2e94b2e0b6358d030523b499577c2f5f25c25
Link:
https://www.unpac.me/results/7789814d-b901-4d3e-80d6-d993fdd4418d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b15f6400cc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0b15f6400cc6e0ad45fcd44b881a17eee8e8e93624fcbce8bccc2b098dd74761

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments