MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3
SHA3-384 hash: e8c4076e5ed03ac494c153eeca2f12f1aa4563dc883999fb57a8a309dedf045df94ab003de022d923d05224421690928
SHA1 hash: aeb7514c92caac17898b2d2e077b7e7af5f672dc
MD5 hash: 3561c42ceb28015d6ab070116c553219
humanhash: minnesota-uniform-papa-seven
File name:Scan001.........pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'046'528 bytes
First seen:2023-02-24 21:01:58 UTC
Last seen:2023-02-24 21:02:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Dyc4yZ1cxmG4F9nx+o3ZzT11gXlkhVhrYE:GwWmbFFBpzx1KlEV6E
Threatray 957 similar samples on MalwareBazaar
TLSH T1A825AD09A7B0D6B3C58B01EF18385B4D39A474437619E26D8FB77FD292709BB35A9203
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter TeamDreier
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan001.........pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-02-24 21:03:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b78d44dc-4938-40a1-aecc-290501d8c699

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369534/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Win.Packed.Snakelogger-9988551-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/63f925d62313ffd5d3186239/reports/2671104a-5109-4342-826a-87ca76c3ec9b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c545de6-b15d-483c-a24d-4ca3fb012320
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182125
Signature
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814956 Sample: Scan001.........pdf.exe Startdate: 24/02/2023 Architecture: WINDOWS Score: 100 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 2 other signatures 2->57 6 Scan001.........pdf.exe 3 2->6         started        10 lANdBmK.exe 3 2->10         started        12 lANdBmK.exe 2 2->12         started        process3 file4 25 C:\Users\user\...\Scan001.........pdf.exe.log, ASCII 6->25 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->59 61 May check the online IP address of the machine 6->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->63 14 Scan001.........pdf.exe 17 5 6->14         started        19 Scan001.........pdf.exe 6->19         started        65 Multi AV Scanner detection for dropped file 10->65 67 Machine Learning detection for dropped file 10->67 69 Injects a PE file into a foreign processes 10->69 21 lANdBmK.exe 14 2 10->21         started        23 lANdBmK.exe 12->23         started        signatures5 process6 dnsIp7 31 api4.ipify.org 64.185.227.155, 443, 49691, 49701 WEBNXUS United States 14->31 33 mail.kmailsoftware.com 192.185.46.57, 49698, 49703, 49704 UNIFIEDLAYER-AS-1US United States 14->33 41 4 other IPs or domains 14->41 27 C:\Users\user\AppData\Roaming\...\lANdBmK.exe, PE32 14->27 dropped 29 C:\Users\user\...\lANdBmK.exe:Zone.Identifier, ASCII 14->29 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 35 api.ipify.org 21->35 37 104.237.62.211, 443, 49702 WEBNXUS United States 23->37 39 api.ipify.org 23->39 49 Tries to harvest and steal browser information (history, passwords, etc) 23->49 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2023-02-20 16:39:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
27 of 39 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxh5co72bhr2wwmymktr23bgwtaxtyql7rldcyigrehdtuosrlzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0aa6fc743d5bc7f1e32187887accb9cd1120372b644d4cd046e1fbb7814ab37a
AgentTesla
14997972307c483549e7e7818855d1e2cd889598a943fdc3dfff67e69e20946c
AgentTesla
15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3
AgentTesla
27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904
AgentTesla
41d58a31e2befb91705b4630f2cc48bfe9c09d5c26aee2034e5279b7bb314f4c
AgentTesla
53606fcd5a8f195a763cb48f5aafffac01fdfb8e73d5fe99438ebc2d1eba6eca
AgentTesla
6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6
AgentTesla
b362c914752624d07988ff806611b5510fc02da6f58ad109ee6e9b66685a7b29
AgentTesla
b7c634bcc745337f95f7938965fc25ca5aea07634dd74e30cafae6a677a8ad09
AgentTesla
d975348bc9e2938f9bbb8f8c96f20cbc74c0241ef9e0847a853233fd962f73fa
AgentTesla
+ 947 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230224-zvfp8saf6t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/64984f7b-d265-4059-a123-c543bce374e8/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
7a3ec41634bc86882f1c9090acfb845c7ce1556d55f88bfb41bc01bebba15787
MD5 hash:
9cebff1655614fd2bbb9faefd8ac9606
SHA1 hash:
922a9d780a238b235aaad31bb5f933a0cfc3c7ec
Link:
https://www.unpac.me/results/64984f7b-d265-4059-a123-c543bce374e8/
SH256 hash:
4cb93da5da46078b149a3c167f4b09ea70c77c6a540126079adf683ff3b83029
MD5 hash:
be4df91000f3a62623e1f147a6435c78
SHA1 hash:
290090edbf5194e52b73c4b027dd52072a2b3355
Link:
https://www.unpac.me/results/64984f7b-d265-4059-a123-c543bce374e8/
SH256 hash:
febd5aecda58f43ec76dc2c88af75afc01fb191a6a8f8848aad1a68e3b55b5f3
MD5 hash:
eae360bede736b1f8871d10383e14fe8
SHA1 hash:
0b46ba6c937ceb971a4b49bdbb24b1b56e840398
Link:
https://www.unpac.me/results/64984f7b-d265-4059-a123-c543bce374e8/
SH256 hash:
8b84cc6a54255b3f246f9fd4d028b9dad4e8a6b737e2883f62ee4d58101bdc29
MD5 hash:
f5277d0a279617443e5948acd71b156c
SHA1 hash:
0040519670f5c12f9eaf0a500982737e20024ea9
Link:
https://www.unpac.me/results/64984f7b-d265-4059-a123-c543bce374e8/
SH256 hash:
15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3
MD5 hash:
3561c42ceb28015d6ab070116c553219
SHA1 hash:
aeb7514c92caac17898b2d2e077b7e7af5f672dc
Link:
https://www.unpac.me/results/64984f7b-d265-4059-a123-c543bce374e8/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15cfd13bfa09/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 15cfd13bfa09e3ab599862a71d6c26b4c179e20bfc56316106890e39d1d28af3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369534/

Comments