MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
SHA3-384 hash: 148f198c2fbf7e94baa1e1a7ace6e03d026b816d4d03261b4da2d2bc160b0ec4bf97a8239e7bec75a9198972585b3f61
SHA1 hash: c8922c360af8a69f1e75996dd989d359991fb980
MD5 hash: e4c3b459a57aad379f4ebaf0fc8f5fbe
humanhash: spaghetti-muppet-low-hotel
File name:Shipmernt copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:891'904 bytes
First seen:2024-07-29 08:54:21 UTC
Last seen:2024-08-05 13:01:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:wFFOX4ClAhpnZYnoWdT74HFiLMTw+qrwYuX0J:wXOX2pnWoWdTkHXU/rfdJ
Threatray 1'274 similar samples on MalwareBazaar
TLSH T1D81502D53E6C9611F1868ABCB260D04A3A74EA03262EFF1A5DD00E9C1BED7F765481C7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon ccdcfcf0f0e8ccfc (8 x AgentTesla, 2 x Formbook, 1 x AZORult)
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
Shipmernt copy.exe
Verdict:
Malicious activity
Analysis date:
2024-07-29 10:16:13 UTC
Tags:
netreactor stealer evasion agenttesla
Link:
https://app.any.run/tasks/d90fb8a4-57a6-4539-96ae-c861b7371fbb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a758fe3ee5253b89e5ddf6
Tags:
Discovery Execution Generic Infostealer Network Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66a758f94c5c17942a7f89f2/reports/394695af-71db-4a90-abd3-9b4fdf85426e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9b6f9d4-11c5-4e18-9ef0-0ef9f3bc3bce
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1483895
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483895 Sample: Shipmernt copy.exe Startdate: 29/07/2024 Architecture: WINDOWS Score: 100 50 mail.iaa-airferight.com 2->50 52 api.ipify.org 2->52 54 171.39.242.20.in-addr.arpa 2->54 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 12 other signatures 2->66 8 Shipmernt copy.exe 7 2->8         started        12 NIqtLt.exe 5 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\Roaming42IqtLt.exe, PE32 8->42 dropped 44 C:\Users\user\...44IqtLt.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmp130A.tmp, XML 8->46 dropped 48 C:\Users\user\...\Shipmernt copy.exe.log, ASCII 8->48 dropped 68 Writes to foreign memory regions 8->68 70 Allocates memory in foreign processes 8->70 72 Adds a directory exclusion to Windows Defender 8->72 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        30 2 other processes 8->30 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 78 Injects a PE file into a foreign processes 12->78 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        26 RegSvcs.exe 12->26         started        28 RegSvcs.exe 12->28         started        signatures6 process7 dnsIp8 56 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->56 58 api.ipify.org 104.26.13.205, 443, 49709, 49713 CLOUDFLARENETUS United States 14->58 80 Loading BitLocker PowerShell Module 18->80 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->82 84 Tries to steal Mail credentials (via file / registry access) 22->84 86 Tries to harvest and steal ftp login credentials 22->86 88 Tries to harvest and steal browser information (history, passwords, etc) 22->88 38 conhost.exe 24->38         started        90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->90 40 conhost.exe 30->40         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 07:07:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cuuzzxnu4a54fo6c4lafpqnl6ovqmosyhht7zezzhf4xvjodr62q._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
a61b8d2bc79e489fe0009755c0a3ca485d64cbdee48bcd55f2dc2624b73e994e
AgentTesla
af6694d1a51a60d7bf11ca63a9af3e749c122490ab8f620921b73f89eb1d9123
AgentTesla
b07cd71f9882bdd5e28f47863b84634b985bebb1dab1e5cc84e246b94fe8c864
AgentTesla
d987e88da6ca8f62cea95a075325a66e645ea856364eea63ddbcbd5e5a72b7c8
AgentTesla
+ 1'264 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/240729-kvgj7svcra/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/058ca0f8-3fec-478c-a6b1-92b85522ad5b
Unpacked files
SH256 hash:
cab6a13eb67b557098f77b98629067b44d816356edcd34279f73c749560e3fbd
MD5 hash:
aa802efdbea1bc3c464d774ee5ff1dde
SHA1 hash:
eba1db1a3f26cdb4e11d75499448dfc498fcc4d4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fea535c0-a427-4a6d-9316-c3abe91f4c89/
Parent samples :
86d535d54ed2e30a80ddc2c530c330d8898ded55ad6ba35310f14c3f23a19a0d
15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
12d10e1ecc6afdf8f4ec4b08806c3eb3164e83ee258031bf7e292279e8e3ad66
77ac5b15d78e58b7ed803e93aa16e4742ab0b6c1eb4e0b5c8a93f3799ed00e18
11c37fead8b02d4646499109187b632dc2ec2f49d842e7aabb3bb93d7ce3d538
ff155d8b9a7c9df0c77f203a547157f25b89aec97f2807081c74c7735602507c
552ec910ab15e94277c6211423d6a3f92fd96bcd8d84695c6adf3a36e9d366ba
c75ae9d4a81e584dbdf1d2ffe063a22ad2189b1408975eaf8ef6410edec81fd9
a2494f6dfc0726f3ada24c21185c0554d50f1ecc13bc434a47d0a0bad5d9e767
5223dbf673bce63ab81bbdfecc931ddd6d9a8d3c138e269e479e56167eed1c50
b24eaa1b9bd278aaadaa1c2e7a74a6674b0f604048c5851ae6ae598152bdcd67
a85df9ae1792ac726d8486058b5f1ddb89f232930cb3c7172291fe3adee3220d
b52771878f98cb32f91e9c5eb88b1452b25077c973bf5db1ef3ab356ec9b80e9
4f6abf63121d8ac6db6af1b4aaa3331822ebf670bb70a98720d759cd41ec6a90
85f373ce0f6da2b2bd6b1fba5243ce691997bab0e3d9f912d6d1b4f7c617d103
7aafc2b21a5a3d027eb1762dd91328b5adfb013f5c86fb4da95c4fdce8313535
007848670c9bdba545221e97ee5047081c60af7edf232f04b1f044b03732e323
dc37dbd4aabfd3993ad6c43f35ebd47fecf7c2fd40a3dbfdb99a21e1b6885f95
fd2bd6b337113729beeb74f7446d2b777315abca4d557a5cfd7acd679add2d65
9ca974f315a7980f38671b6668946264198130593006ff0423637c55249f21c1
267a95b7715bba494b96ff9d7bf29dfd8ee2c73c5312964b5039962826ce6fc7
6d524f19183002c058639b24455f309f78f225ee0a0210cfd820b83609f132ad
fddb2e3244a031741a1da8a0a5086890cb02ef24bd93b7df8971b42d65b1a03d
6bc6f1ef2929e6e16e0f98b29e7ade9b941a7080347db2321852b5afc58b0cfd
efab4e467f93e1f5b3f0fee251844f6e3667b794aff5fde442d7b4db955201e0
d182a98c60c7fe6f8945a4791c365234f519485f7a0e6dd0e95513f9670e0cf6
18dba55b8d1c77f7b0dcf0a2ae3a4a702be887e0fe36c6efca2d9caaaf33fe1c
684728d71a1b686e85a2671e253ecbd27da9e028f3160e84408033dc9ec21dbe
da0fd2ccf00f1cae00d3ffeec1f8dccd520b02b1b8953fe7839db61e0f843acc
8961382e3a069a9b64457dc4f73fe9aaa9b927451d7715fa1a4d9be8114edb23
584b6e279cccf8b9faedfbc68242f158f19f881643fc79614f3cd96d4c50cf89
7ecc027520fac0c2341292e6e6cc3389c172399ee0d7a3672b5455ec7f4b775c
7ad4e2e9091d961c63bd8a5de7c884df9c81c6395f35645f8c17befa50fa6bec
ac082f9d7470f51db94b17a7b86f0c680e76a2bbe82382332fa7a8a6d52bb898
253bedf2000dc70d54a576b7ef69a7cd990aae9b1734cf65193b7862f47da94e
e67ae0c8bca17f912e1fdcc8dacac7e967ac9dfcfc031d944663043c99f32ea7
3b0bc3f1f71b05a119884770f7c79d236ddf6b6ccc378b30705f3ecb712be998
5e979880469bfba9dc9b850ed945530fc277fcbdd96227661972c89e700ecd1e
4d1527ce09d716a68f0a548a3fab80d2223028460e036f43b579f211b91b0ff3
a96c7253cab161d289efdea709091608649deeb1423a4df65d1cd13ad28642ae
d5033b91615c5b714b92362b7906982f577b7235b0bdc8433a03cbe0e8992730
ecb208b31c9db988e6a1ec481172f71e646a084add91834c0631ea2dd0d6efd6
94b60b83cf8ae31ab9133dc8d689ae1cb34190128ebdfe0502a752113c7fc2f9
58a3d9499f2175456ff0b6f652cb1b0603fadf615b597a59713f23f2ac6350b4
b914e2a5f98b702eefc2ec6474500eb32fd3032032bfdba52fe136898de7c231
5868636d8eaadf62ceeacb1564bb3a8614e8e87471e2475d48f765fad94f3d9f
690f04e5bd79e7410dc886fd084b7c8b1c198d398674a95117dcc6137bdfc66b
19beaa481d4538a01e7156ab1d065d010056be23f81edcc4056629f8aacb46d6
b42cf4d03e50a5913c6a20c9b70ef11ca48890a75adf324754a01fb269182bd7
41445ff8ed7dc3ce3e7f54c5fd7fb93e5a7c8961237bc408b92dc48dada2ba88
523d949366cc9f4ddfa2d9c261bf1f0741879b32cc821e6e654830184ff4815b
5dbbaa22b757de07d0fb4b665b1863811a2e80498b5265ee903c3998a8684b6d
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
023034cca9da6237539371b5b9ed642a7e27586f5908ee9cd400649665c22a40
949fd4ab1f31af8e7ca60994be0e8ab1d96f92ccb339d7aab1b5f969ffc7ba9c
f3ac084766855ffecdafc4e214d1087966be4b88edd5a2e729b6e699b7ef546f
de6619e254db011cc45ea6684edab7007f3e8deb6f264afa97c002d840858781
3b08f443e9b1999e957fecbe5a3b9b51b666b78b4286350f23e7c618e44e0abd
5f569c72db9c31528daf2e907938b9bb711ea3a050efe5bf5d514dc962c5415c
745bbe5ba33f2e50be4de60788cb6a685c2dd7f4f78d933e0b99f6be4988b013
25e04a4c87cc29c42fccc7137735bc6e7f5e11d06cc2039493b88be56c5133aa
SH256 hash:
cb4952b33305e97d86f398405b0bcd4bb59f61bfa16bf4f27be8a8dc2584208c
MD5 hash:
375a7c8575a28440c4e4f0b72df2f759
SHA1 hash:
960eb458a3e68b9388bafe727e6365527e20d841
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Link:
https://www.unpac.me/results/fea535c0-a427-4a6d-9316-c3abe91f4c89/
Parent samples :
29f2f8293c3b8868dd9f057b6b7ec1a898c1e57205be359afafa433cd9cd7bb3
1c92d3868a5a6d2f87a8c0308ff37d329911dd4c43b5fbd654a69773ca6fbbbc
c2de6c81a5bc4a97ac8e34adb89a14885bfc91bc284550221d865f335f575214
d7e484c20f0341e35945ad2a6f803fcd0829a68b7dedf05430c0be06d5392ed5
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d
d1248b99698d1efcfddacc89384b3df62e8dce35251d7a96dbb13cd31b30f853
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
b2d9f8edf1b8ab56a07620a6dd37944c423604ea5e25d97de57d03f5412b9906
6443b593fc020a993974a850a6609c498398ac6d8368607dd2bc1ad1d785f38b
b3ac3ae44c087c5dc5d42c5ea8531e82f47cc6740da571a7c60624dfdb436469
0c33297e293bffec0a5728c9553044a89b5b4ef7389b2a45fb460dbc0fdf838a
5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba
57b6b7a5011b1e0d3b8a43da9c78528e3a133cd20f5f9cf72c6359dab423693a
e28f384946d7a17d59de700e40186725163b534eab150d6be5327187e7f83a28
dd566ea9737c75cf44885c842a944952d23abc1fb315867b4f07c3b8f37ce01b
9451626c4ac447e1f325611381448ee5fc8224945bda86cf32ce94306c3cd9ec
104fa5737e0c2aafa7558bd7bd6080cf54ac125b4337f4e0515e41d9e1370a04
cd583aa76a762a640be309b14234e47081d254d416b0567afb293f219428ce46
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
cb4952b33305e97d86f398405b0bcd4bb59f61bfa16bf4f27be8a8dc2584208c
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7fce3e76c6fced8598769e97c7cf34eaa6e86949bf61b75526fb3b489f6d81f7
15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
b4930dde2fc721a3d6648831dd4fe2ebd5085e0218864eb48e68e54a69d7cd41
86b3feb69665d03eaf1b1a3fc4dcf8221443f9c75458f34aea20d72d05c16cfc
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212
3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce
d5d6f7922d87a58322e5d4ace6819497d0942b3b22dc10c52f5a37cad8e42793
07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
67f4b6cba186520b5247fa0ec23e129dd20c51640662108c2b9db61cf968f17d
2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd
9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
39454a1ce8c389d837bb510efe44858712813fd3ef611822af3a1e5b0f64f52a
001c5c64500979a3b3c0251a7e94292dd1a188638bc7aeb0168e9578c53eaaef
019c0bda2cdb00d88ddd70fae9c57490c14b218aa3c2e9f383f75fa415c03168
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8
c6ca7a0c812b140b8d3e1f7ceb12f0efe6bc0f564c6312814bc9dba1255e8788
b46e55db0693853f1f96a8ba2baad879f4e700db1c976a4041427ed221538922
81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b
d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf
914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75
d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334
3b593da5f678af89946aebb762ab465c627a4dea6942b1a134a22536fb9ec7b6
5fd1a09cf8cee6f5529209307343ce46ab95e96b7fe6151d57e4f2d225827b3d
207836d40a534374a426bfb3eda7d988a77b2d8312b122644be1ff6659ecb59d
76930f5752402bbffccf8edeb6b07cd1ccf925c8c34853650e367cb2e0bc3e8a
7f26fab81265bdcc5ee00766756159b473e5350f77e13cddfb28b3af9480d19e
a46460f8d8d27ef7561eec3297790812f7b6187ee066ee2ffbe3cd60c2fd5ffe
e7d6f8ffb410620820c565a54f6360ad432593cb99705ab5d408e7e53c8f19ab
70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d
e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
af65f2da3fd19510fafbeeff3fdf3531db13eef1cf40f6bcf6580f76c8abf3e4
276ee9ca37adcf31809cad29a26c112e623e8b0d9444334247139a63563ba268
4587101c910c2af014b4f604c0ba76717c1c8b3f360ce0a191e81158b691f6cc
27bd5e4723cf6f83c2f4a5669ed07025c8c7925ee09b59861c6ec6009615e28d
97f4735ea0610794bdbb279c3d8fab019be4552788b76ea8ffcc4a53f7d731fe
db9075f1eadd4b7dfbc145d16f17c50ec345e99d3b5e3b7593f86e5b8532b4c5
8c3a603f6409c75df6f65da000fb6370e8a95da1572507a6f812d06f219c89b3
d11a5704f52bcddd56abfc1533daf7d30bc6b98ee89d81e7534f1be1343c9a6d
1de9012faa32acb0bd829ee77afa29ea04798a14152e2a624f03b08992922bea
77625c8d0612143544ef6bf2907b6f30fd4be765bdd955004885b29f388fb17d
1d1753775e003c95edf26e2938b3f7b9411c0791a5a65c77f662264e6a554156
d695f1fe44dd596d3132f964c43d9729a7df5bdcea72c504db47a41c6a648164
74b30b12fca88b189c0aec3f5af5dabb8f496811036bc4c1601b2fe49fdd96e4
f140450118202ed165b49c1a623d7e64ecf9b147254359255a734d849b9cb5d5
e71dcdd820367c9cb0b261d69c2bf74bd0d889823b75e92bc5752042a0712dd7
3d2bd0f41f351103caa9c7f99aad63c41884c7d408fba0a9c5eed5af9f5014db
c27773f8b51094bb8518e9b7e896be05144fd7f66e8b7352b974e7f42b6abc98
49a677d5dc211d01e7860854330875894852c15b14e79c19719ca47094962b77
2175bfc02e12d0136d4cdfa370226d8917b46132cbb007b04e1b79dec177b7c5
8f2d4544422f6870cebdfed81c4d0ca7db176e34166306f0fec4e4d509b773cc
750b354b873770c3702def2ba20335091b10e73f2e19e0d9f6c2164d836cf1f0
0c84b7722d83c5eba4829bcc7849e6f791fdca8a8a2c41148b2ff6ccd68e52a1
6f4245e6fc909528580e36c0ac716d6e8b19df8f6ce43bd93f526f282f3e86ec
059e6f46dc494f497e19284906976773271e9118bb7749f1aaa6cbbf4e337d39
9f178274219fc99efcbca3c85ea794c9b7a4ace49176a83a884a54794e8a1ee2
f7121d16f7c5e546edc168027fdcbeee4698b1038b035003002cee8a295468ad
2b3b53a5156b258cbe1babe783c03f3b3733c1b51a45fc6b23d84f4a84b50b84
e12f9f6dd4d092492c0d9e422da3123d88ed33ebdbb77706454e0a4a534aff5e
4b493efbc51d8cc77f3fe9e2b96070d5b9e1641a00a3f265cdb60209993fa515
6a58063fd4bfe4c9fd2bb7b17216fe3353a358a404d8b162d8b6f2a9bfc7b625
SH256 hash:
905a59a313ad8f43c8093553e26a01b69f76173395c5aca67efa87afd22fdb03
MD5 hash:
8ba0d9c1c010b24c2c2c9382a274c343
SHA1 hash:
86419069bbd40864d0c216c55a89042911d0e4a4
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fea535c0-a427-4a6d-9316-c3abe91f4c89/
SH256 hash:
cfbbdb73ac6150327dabac1fb07944a5fb0409fe2ff47ce4b508f0c3c69b31d7
MD5 hash:
7a83f1c49ecc42a435acbca9297c5801
SHA1 hash:
71cded1883523aad42766dcd7a06214950a2be05
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fea535c0-a427-4a6d-9316-c3abe91f4c89/
SH256 hash:
15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
MD5 hash:
e4c3b459a57aad379f4ebaf0fc8f5fbe
SHA1 hash:
c8922c360af8a69f1e75996dd989d359991fb980
Link:
https://www.unpac.me/results/fea535c0-a427-4a6d-9316-c3abe91f4c89/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15299cddb4e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments