MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682
SHA3-384 hash:	2f3558d9cc8aec43321a2a5e7f4bc41ab1f3c0f358978936e6b50ecaded023826305785b3a53544fc39171a0a745bfe9
SHA1 hash:	4ab1447cb8c99454ebbc38baa781af4d2ff175dc
MD5 hash:	f23a47090cde5afeaafaf7223887fc98
humanhash:	robert-oklahoma-august-hydrogen
File name:	b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	869'888 bytes
First seen:	2025-10-09 14:14:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:geXopiMkjeq9SpYIuQj88G0sKaIhsRNQ+VGVJimsMSsJoiifEhEAEo:geXYiU5o078QKGXxsM3if2EAEo
TLSH	T12205125577AADA12D4B29BB40D30C7B806BCBE0DB831C2065EE6ACEF3D34B605945356
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

Verdict:

Malicious activity

Analysis date:

2025-10-09 16:12:05 UTC

Tags:

stealer evasion ultravnc rmm-tool exfiltration smtp

Link:

https://app.any.run/tasks/8b92405b-b17f-4d83-9831-7ee40c2a17bb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/31413/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e7c407277c2bd8bc5e61c6

Tags:

virus spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Launching a service

Forced shutdown of a system process

Stealing user critical data

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68e7c9855a3bccf09ebf4f07/reports/9218bd5a-a38f-4190-8aeb-62b1cd4ac021/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-18T06:54:00Z UTC

Last seen:

2025-10-10T00:04:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/de13502c-299f-4171-8efb-287e37e5701e

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86

Link:

https://app.malva.re/file/f23a47090cde5afeaafaf7223887fc98

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682/

Threat name:

ByteCode-MSIL.Trojan.VIPKeylogger

Status:

Malicious

First seen:

2025-09-18 10:20:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=whsrlyhj26f24dr366lmabrhczvaxzemy3dqwdvjpqpqbszv22ba._file

Verdict:

malicious

Label(s):

unc_loader_037

unc_loader_001

unc_loader_078

Similar samples:

error

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/251009-r1zraszmv6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ecef32c9-a0f3-4585-ab02-8d307d2fe991

Unpacked files

SH256 hash:

b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

MD5 hash:

f23a47090cde5afeaafaf7223887fc98

SHA1 hash:

4ab1447cb8c99454ebbc38baa781af4d2ff175dc

Link:

https://www.unpac.me/results/05fe14f4-0d7e-4c62-be3a-7aee12739351/

SH256 hash:

0831e8630ec4bb7fe42f05397baab04d2de614bc6dfff43a233ac4aa6233cf57

MD5 hash:

d3dafd6038bdfbedac0b5dc7d1b91ddd

SHA1 hash:

063f7da04057f7fa730bc72c4a6d82c436909fde

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/05fe14f4-0d7e-4c62-be3a-7aee12739351/

SH256 hash:

1041b538ccbc7d66e59247ef7551cde9b6c282843541585e9190a8e2e3943b12

MD5 hash:

e870d1e8f3791ccc141f85f40fd2972b

SHA1 hash:

150919ee289cffa6feb40ab8261f620dd7e26aac

Link:

https://www.unpac.me/results/05fe14f4-0d7e-4c62-be3a-7aee12739351/

SH256 hash:

3990e25771cb07beec4202f89083bd9d088eafb19ca9588f1ce475db5f3885ca

MD5 hash:

b8cd58f6efea6336d15131774786e4be

SHA1 hash:

bd90879ef77a42c357d2cfd4a450207c98e4b9f0

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/05fe14f4-0d7e-4c62-be3a-7aee12739351/

Parent samples :

5a14e9589b97d29fd97f25d0a2abc608131e3148382439b692232ffab2cf590a
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

SH256 hash:

fdb4f30c93b7bd02447547c279aa33ed19c3dfa0a3e8d11f14f89b69dc76fd8a

MD5 hash:

03719936e7ab21672dbc70858f186bb6

SHA1 hash:

04bf6493b25b35e7b9f37bfd4829654ef3fc6cfd

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/05fe14f4-0d7e-4c62-be3a-7aee12739351/

Parent samples :

5a14e9589b97d29fd97f25d0a2abc608131e3148382439b692232ffab2cf590a
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

SH256 hash:

f213013e752edb96853b1bdbda9ca10c98e926d7c2e6b0a01ba5eb131dcb473e

MD5 hash:

ac81028a03b49dd0ddcc540e479cf41d

SHA1 hash:

06c5ccbdf80958eb5935eee73258cbbc86a03b07

Detections:

AgentTesla

SUSP_OBF_NET_Reactor_Indicators_Jan24

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/05fe14f4-0d7e-4c62-be3a-7aee12739351/

Parent samples :

5a14e9589b97d29fd97f25d0a2abc608131e3148382439b692232ffab2cf590a
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b1e515e0e9d7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31413/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample