MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86
SHA3-384 hash: 63acbff3e31ff0c70a20d9002b6c1b690a49310a7017ec1d22912fa853f5739111fc3ec9c5f99fab21e619e403a0d22f
SHA1 hash: 88ecb6277d19fada8b4e3462f9dd8bffbf1ed0e4
MD5 hash: 9a7cce81d0f888c3bd1c4bfce2cc6da9
humanhash: moon-alaska-uniform-three
File name:SOA Feb-March 2023.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'015'166 bytes
First seen:2023-03-31 07:22:24 UTC
Last seen:2023-04-01 08:58:50 UTC
File type: zip
MIME type:application/zip
ssdeep 24576:0hIVGnseePJp3jr0A7bxRm9+e7P71q0YiQ+hRW9fe35gBA8:u+GnRe3jQSbxR/STw0YiQAmbA8
TLSH T14F2523B76CD490B8A188143D5A855D18DA504D634FC3CF69C0AC5362FD9FABDCB8CAA3
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter cocaman
Tags:zip


Avatar
cocaman
Malicious email (T1566.001)
From: "fin@ss-transport.com" (likely spoofed)
Received: "from [193.42.33.80] (unknown [193.42.33.80]) "
Date: "31 Mar 2023 14:21:44 +0200"
Subject: "SST Statement- Feb/March 2023"
Attachment: "SOA Feb-March 2023.zip"

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:SOA Feb-March 2023.bat
File size:1'359'396 bytes
SHA256 hash: a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e
MD5 hash: 9f8f23997c4e07be88d8dbe835c8b6ed
MIME type:text/x-msdos-batch
Signature AgentTesla
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28379.BadBat.UNOFFICIAL
Create hunting rule

Result
Verdict:
Unknown
File Type:
ZIP File
Link:
https://app.docguard.net/15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86/results/dashboard
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64268a570dc8b8a71cf79daa/reports/5867e085-e396-4cb6-8b2b-d0c9bf4dd77b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxkqfstcgnjztb6tf7d2bzrtzjbx4psbwdovphypwv2g24dw7sda._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla brand:microsoft evasion keylogger phishing spyware stealer trojan
Link:
https://tria.ge/reports/230331-l9nshaaf81/
Behaviour
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates system info in registry
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Drops file in Program Files directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Sets file to hidden
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 15d502ca6233539987d32fc7a0e633ca437e3e41b0dd579f0fb5746d7076fc86

(this sample)

AgentTesla

Batch (bat) bat a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e
  
Dropping
MD5 9f8f23997c4e07be88d8dbe835c8b6ed

Comments