MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58
SHA3-384 hash: cf8d3057acee4ec18ebffd46b9c46bca47909839296d880677c74ddc27fac0f87508ced303ac21660e66f45f9ea94092
SHA1 hash: 58a8d2431f322e91a8ba9d428c648ff3b5760add
MD5 hash: fce9512df054257be7210d40a10f88f6
humanhash: hydrogen-quiet-tennis-batman
File name:PO from Proform Technologies Inc 15124 PDF r00.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:249'744 bytes
First seen:2023-11-28 06:56:08 UTC
Last seen:2023-11-28 08:11:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e871f39e81b4aa977737b07cee050825 (15 x GuLoader, 3 x Formbook, 2 x RemcosRAT)
ssdeep 3072:pk62PBHHXx4QkrXbE6BUg8+n93yIVm4Q1naYQumTZBLQdn/0iUK3a2IrC1fS:pk62PBHbedZ931m1nFEZJQ1bP3fIe
TLSH T1D93412A2E25491E2DEF2047050A56E17DCEA7701E9602347BBB49B671DA33162C2F17F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2023-08-14T04:04:54Z
Valid to:2026-08-13T04:04:54Z
Serial number: 238e27b00f32700f36759598e389c10addeb79c3
Thumbprint Algorithm:SHA256
Thumbprint: cba2695156f65740074fe4f3fadda8b94afad56fd8317c1ce294f4501bcde5e3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
313
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460858/
Detection(s):
Win.Trojan.Guloader-10008146-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Delayed reading of the file
Creating a file
Creating a file in the Windows subdirectories
Creating a file in the %temp% subdirectories
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65658f3ffb43e835e6b7e5eb/reports/75274591-be08-42bf-977f-c521d70fa30e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eddb27d0-a963-4b78-baa8-7c2926cbd14c
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1349076
Signature
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 23:05:08 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cwb65phw5ij2w27teyd4meg7a6ym6xyrvgp32zqv6pw7pny5drma._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231128-hqx1aaga6t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
AgentTesla
Unpacked files
SH256 hash:
b170d492cedc29719d27092c29ae1c71bc0b4d9c7df5707b44ac748bc394967f
MD5 hash:
f294cfefcf2f306696944427ef551de5
SHA1 hash:
6ae91bc7706e0dc0e882f2648277ffc9437a5f8b
Link:
https://www.unpac.me/results/99160bf9-f45f-4582-b9d8-6b066a0ae0e4/
SH256 hash:
e32b35cde7c6e2c967445de92884684db7fda506ea52b9aaa74c1a33dd2fdfe6
MD5 hash:
55f18cafe28167995629fdeae4f07bdf
SHA1 hash:
a6bd9310f4408c86149993d1e8833d35dd16bb23
Link:
https://www.unpac.me/results/99160bf9-f45f-4582-b9d8-6b066a0ae0e4/
SH256 hash:
1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58
MD5 hash:
fce9512df054257be7210d40a10f88f6
SHA1 hash:
58a8d2431f322e91a8ba9d428c648ff3b5760add
Link:
https://www.unpac.me/results/99160bf9-f45f-4582-b9d8-6b066a0ae0e4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1583eebcf6ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1583eebcf6ea13ab6bf32607c610df07b0cf5f11a99fbd6615f3edf7b71d1c58

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460858/

Comments