MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
SHA3-384 hash: c3065c2b6026fedc19469f94502d5f0a51a2e96ac98b2ae137c26b25aec2110fdefd384e3ff077ff3ae1376b3d81305e
SHA1 hash: a00e2c8f2c531b2656695eec954fbf99969b8314
MD5 hash: 07fe4a4ed7d69821cbcc216c3ff3b109
humanhash: lima-nevada-nuts-enemy
File name:Request for payment confirmation for Invoice # ISB-49677 for the month of May 2023.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:804'864 bytes
First seen:2023-05-10 08:01:32 UTC
Last seen:2023-05-13 22:56:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:70rZfTQXyyH0bUnOy+/kR3FJXdfETh3LoBkqA0urM9RCUiw+LJkSiI:7OLQ9Hw5kRFZdsThkBXReHkSi
Threatray 1'018 similar samples on MalwareBazaar
TLSH T10105E111316AAB2BD7A843FE0A28454513B87716FD57E23D6EDF21CCDC22F004A66E67
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for payment confirmation for Invoice # ISB-49677 for the month of May 2023.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-10 08:09:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb22a55d-887d-4d17-bab3-eb3c57bb0125

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388080/
Detection(s):
SecuriteInfo.com.Variant.Lazy.338474.4050.26412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/645b4f802855dd84c80835c0/reports/af6e3f01-44d1-4595-8ebd-be4f4da31713/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94521dc3-04c1-40d0-ab2a-82ccb7e120fd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229834
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected AgentTesla
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 862816 Sample: Request_for_payment_confirm... Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 9 other signatures 2->51 7 Request_for_payment_confirmation_for_Invoice_#_ISB-49677_for_the_month_of_May_2023.pdf.exe 7 2->7         started        11 lHATJx.exe 4 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\lHATJx.exe, PE32 7->35 dropped 37 C:\Users\user\...\lHATJx.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp974D.tmp, XML 7->39 dropped 41 Request_for_paymen...ay_2023.pdf.exe.log, ASCII 7->41 dropped 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 13 Request_for_payment_confirmation_for_Invoice_#_ISB-49677_for_the_month_of_May_2023.pdf.exe 7 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 22 7->19         started        25 2 other processes 7->25 59 Multi AV Scanner detection for dropped file 11->59 61 Machine Learning detection for dropped file 11->61 63 Injects a PE file into a foreign processes 11->63 21 lHATJx.exe 11->21         started        23 schtasks.exe 11->23         started        signatures5 process6 dnsIp7 43 api.telegram.org 149.154.167.220, 443, 49701, 49702 TELEGRAMRU United Kingdom 13->43 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->65 67 Tries to steal Mail credentials (via file / registry access) 21->67 69 Tries to harvest and steal browser information (history, passwords, etc) 21->69 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 07:55:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dakyskq5njd6pvocccduh54oedhvwiudz25bh4rsy6an3xb4kmsa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
AgentTesla
2ce7d781b4110aea5d90e86a8798e44516a33724c212e4b6099cb4babb7090d0
AgentTesla
392ee3c9d47409b170b5e4d6f7eedf427bf1121be42b024a663340bed3025bd4
AgentTesla
3b0acc239747010ba9c56cf22b4ace536d82bf3748dfb14e8b977c07f8dc976d
AgentTesla
529bb27de4876e215a65d62f1166d244bf8d16396a4cae982af3900260bd68e9
AgentTesla
a3e624899642025593a5646ecff5cbdf946e5b13debcdf57aad589d4da03de3a
AgentTesla
a5ee311c1782356ae8fd1e5fc6f6a2cdde6dd79ebc5c80a02c36b3327ba3ac7d
AgentTesla
c336b24aeca365ef88005a1bdf4daeee797b2ae2c0976b3db1fa4cd7c9290b87
AgentTesla
d46e1ec4fd88c836e0f27060808c2506e0df5d1034f9c88e56dd37bfc2113120
AgentTesla
fa06c367eea3dc7496e8b8c3baf34ed7775518d1b779d041f41b0a4b92d4a922
AgentTesla
+ 1'008 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230510-jw5gzsgg9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot5494052141:AAF2aO4sQ_tu4BOnk0pmxB995km7Mslduy0/
Unpacked files
SH256 hash:
83186bc39f39088f0788a17cee2f8046564040ccb67e8fea33d23c3c743029d6
MD5 hash:
1901d7ac287db5a0b5fb5265d117dc6d
SHA1 hash:
f11dfcdb538042011cbcd8f714f18ab00bf8a676
Link:
https://www.unpac.me/results/7ec89859-963e-4276-bd3c-0f8444a546ce/
SH256 hash:
bd8f7dfde6dd7a119c16575910e68418e24a1df6eb563c070c4c756d2ca3c620
MD5 hash:
d13c27165735ac6b13f3d5870025dfb1
SHA1 hash:
c17049f590332fe7680333d1be5374319d5e5131
Link:
https://www.unpac.me/results/7ec89859-963e-4276-bd3c-0f8444a546ce/
SH256 hash:
db87ba8c80b086b0dffd13b67d42331e721a9a8e373c28b9f1b0cb8a8c18d90e
MD5 hash:
da28ff6e3bc7b3590eccf585dacdc686
SHA1 hash:
8a2dac85ce52ed3b5d05895e9d63ee40cb55ab07
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/7ec89859-963e-4276-bd3c-0f8444a546ce/
Parent samples :
3a4a199fb9796ce914f2b483e367190289a0a7586650b22cda8e7ba631cb11c6
b02d91d801822490ae3fa7315323ba054cb72aee687579a81419b7f38925e653
a3e624899642025593a5646ecff5cbdf946e5b13debcdf57aad589d4da03de3a
d46e1ec4fd88c836e0f27060808c2506e0df5d1034f9c88e56dd37bfc2113120
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
63f0c5d37af5beca8498fbd732a01ed4688907d542a1d85f463409d33c756b3a
SH256 hash:
2e5f001bec32491ce92979cfcfaec5f73d74bfa0119e6350dc6967ca1f1e88d3
MD5 hash:
164b24b99844f5509c084c15f7618a2c
SHA1 hash:
841e3afbe31954bcaa3f26e304ea621aaa3585df
Link:
https://www.unpac.me/results/7ec89859-963e-4276-bd3c-0f8444a546ce/
SH256 hash:
df7785315714d6f7927e6b86f5d983df14fa97a755fdb92fedbfc7122a4473c5
MD5 hash:
a8bd32eba42dc367c60e3a0fee9a508d
SHA1 hash:
76d6a6f7b0bf761c9d259807c60d4ad5928ff3f9
Link:
https://www.unpac.me/results/7ec89859-963e-4276-bd3c-0f8444a546ce/
SH256 hash:
1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324
MD5 hash:
07fe4a4ed7d69821cbcc216c3ff3b109
SHA1 hash:
a00e2c8f2c531b2656695eec954fbf99969b8314
Link:
https://www.unpac.me/results/7ec89859-963e-4276-bd3c-0f8444a546ce/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1815892a1d6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1815892a1d6a47e7d5c2108743f78e20cf5b2283ceba13f232c780dddc3c5324

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388080/

Comments