MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e8538add4ab2c08d4706205118a0ed7cd9c969d030f8b9ca203a12b0623c78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	15e8538add4ab2c08d4706205118a0ed7cd9c969d030f8b9ca203a12b0623c78
SHA3-384 hash:	da038fdd9a4f5b755ec013da57875d66333ee6b09556b71c68819609f05ffe3d4d313ea3c2ef3dda777ef5353ac8c217
SHA1 hash:	cf4a829aec6649d4ad478fd5324b0028cbd55c60
MD5 hash:	14abba48a3368a87aaf561c1ca48c0a0
humanhash:	september-uranus-one-glucose
File name:	PAYMENT ADVICE 09680820210111091448.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	414'720 bytes
First seen:	2021-02-02 10:16:16 UTC
Last seen:	2021-02-02 12:18:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:OUeuO29TKI5/DX85JopCJlVjzdvIhNh3YF5G9nhp/gIiU+X8fAtP4GR2D:OUReI5/DM5Jjvpd+0G3p/bA4D
Threatray	2'379 similar samples on MalwareBazaar
TLSH	FE94E07C5BAA9E72D87E0779C9642A343B70B982894BD31F15C052FD2D237D14A82F93
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PAYMENT ADVICE 09680820210111091448.exe

Verdict:

Suspicious activity

Analysis date:

2021-02-02 10:19:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/23e4aa9a-3b9a-4e6c-883f-276c20197ba3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/115140/

Detection(s):

SecuriteInfo.com.Trojan.Hosts.48225.28504.4021.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Changing the hosts file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/596500

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: RegAsm connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/15e8538add4ab2c08d4706205118a0ed7cd9c969d030f8b9ca203a12b0623c78/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-02 07:46:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cxufhcw5jkzmbdkhayqfcgfa5v6ntslj2ayprookea5bfmdchr4a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51

AgentTesla

527595925cba49d29a946fe1e13ad8651c2c220809714e3882929aa369969ba5

AgentTesla

56b4f0d1d0a0ed41109abf11275097cfd12e8e79709f829914f6a89286606eab

AgentTesla

63adb2924e560b5372169c820684773bba83fe0ab3e0b51ecf3192b0cda9d774

AgentTesla

670b031cca042e01b07ece7021acc32ead795c2d64956c3f8754ff5f619dbcea

AgentTesla

803d5b755bfb29e7fd30fe679ec21ccb1eb1ea89b19bbe1a989b4cf10d2ebca7

AgentTesla

aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240

AgentTesla

ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb

AgentTesla

f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8

AgentTesla

+ 2'369 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210202-1wj1ddp1z6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops file in Drivers directory

Beds Protector Packer

AgentTesla

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/b0010c3b-d7eb-4c85-a3f7-9e062169757b/

SH256 hash:

6717ae5a7ca8a3a7e19ad53b2e40e55c33d596d21cf2480737a22ed838025a7b

MD5 hash:

af91cd71f9ea808238815ca0eaae5c9c

SHA1 hash:

f65cc799f79688fcd203f3ce8a80ca32730f95c3

Link:

https://www.unpac.me/results/b0010c3b-d7eb-4c85-a3f7-9e062169757b/

SH256 hash:

6eed91473e464232031eb7635e64cdd95810d8d27c17d1cf4b9b9464380a65a5

MD5 hash:

50a74c3f65f7863109494c4a87684816

SHA1 hash:

5fdf0cdba1b7818fdd4161a29cc326e0a1a8ac32

Link:

https://www.unpac.me/results/b0010c3b-d7eb-4c85-a3f7-9e062169757b/

SH256 hash:

15e8538add4ab2c08d4706205118a0ed7cd9c969d030f8b9ca203a12b0623c78

MD5 hash:

14abba48a3368a87aaf561c1ca48c0a0

SHA1 hash:

cf4a829aec6649d4ad478fd5324b0028cbd55c60

Link:

https://www.unpac.me/results/b0010c3b-d7eb-4c85-a3f7-9e062169757b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/15e8538add4ab2c08d4706205118a0ed7cd9c969d030f8b9ca203a12b0623c78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod Beds Protector