MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50
SHA3-384 hash: 003e28bda221f9363e5cb0e64c15163c909a0a5e56bce907eef0f6c729e0412ec131e409eaaa45b1d83ad0e5c1f91ddf
SHA1 hash: 33ae9c59bfe576e3ff1318d764fdbda05dfa26e2
MD5 hash: 60c08a798dfec76af8ebab5b019faffc
humanhash: nitrogen-oxygen-rugby-fish
File name:believehot23 cccc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:22'096 bytes
First seen:2021-02-26 06:53:14 UTC
Last seen:2021-02-26 08:53:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:EF1ILPD1Ue3qcS5GOMXGNYNgStZKIIGjSLWgkQqlbD+GUpSDUD89DTphX:E1ILPRUe3qcS5G8NYNTZTjSLr+lbD+rc
Threatray 2'941 similar samples on MalwareBazaar
TLSH 0DA27C175FF7591EE8E98A3C24E3841EFA30BB45D552816B90DCB010CADF7882A2DE75
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.parmtex.xyz
Sending IP: 139.59.236.19
From: GAN Phei Yun <phei-yun.gan@arkemas.com>
Subject: PLEASE PROVIDE YOUR BEST PRICES
Attachment: believehot23 cccc.iso (contains "believehot23 cccc.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
believehot23 cccc.exe
Verdict:
Malicious activity
Analysis date:
2021-02-26 07:00:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9474341d-26e3-49f5-a83e-89d1db5e8855

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119344/
Detection(s):
SecuriteInfo.com.Artemis60C08A798DFE.16459.10976.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Creating a file
Creating a window
Setting a single autorun event
Blocking the User Account Control
Sending an HTTP GET request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/619430
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358710 Sample: believehot23 cccc.exe Startdate: 26/02/2021 Architecture: WINDOWS Score: 88 64 Multi AV Scanner detection for domain / URL 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Binary contains a suspicious time stamp 2->68 70 4 other signatures 2->70 7 believehot23 cccc.exe 23 12 2->7         started        12 explorer.exe 2->12         started        14 svchost.exe 2->14         started        16 13 other processes 2->16 process3 dnsIp4 60 coroloboxorozor.com 104.21.71.230, 49710, 80 CLOUDFLARENETUS United States 7->60 44 C:\Program Files\Common Files\...\svchost.exe, PE32 7->44 dropped 46 C:\...\svchost.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->48 dropped 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->50 dropped 72 Adds a directory exclusion to Windows Defender 7->72 18 AdvancedRun.exe 1 7->18         started        21 powershell.exe 23 7->21         started        23 powershell.exe 12 7->23         started        32 2 other processes 7->32 25 svchost.exe 12->25         started        74 Changes security center settings (notifications, updates, antivirus, firewall) 14->74 28 MpCmdRun.exe 14->28         started        62 127.0.0.1 unknown unknown 16->62 30 svchost.exe 16->30         started        file5 signatures6 process7 dnsIp8 52 192.168.2.1 unknown unknown 18->52 34 AdvancedRun.exe 18->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        54 coroloboxorozor.com 25->54 76 System process connects to network (likely due to code injection or exploit) 25->76 56 172.67.172.17, 49729, 49735, 80 CLOUDFLARENETUS United States 30->56 58 coroloboxorozor.com 30->58 40 conhost.exe 32->40         started        42 AdvancedRun.exe 32->42         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 06:54:07 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfnhnzqchic2xubdpe34vuzvhpaqj2l64gos7pguoxqxegztbria._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
AgentTesla
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
AgentTesla
3dfc4c40e95c69c2f87baf8ce364a350823404e78bb4ed97807330f398753f76
AgentTesla
49a4c95599f7bfe481ed85792ded20eae37d7a3889d43f81c349314cf87e6219
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
a8a9cb21be93047b223bd90d741d9eabdde0d1272f738f4c64720e5caceafe89
AgentTesla
bcfcc5a278671fbe1b5f5f27c6d61921add83e57a0c61f80a165455b3fe0875a
AgentTesla
f4dcdf575d7c25bdba3e73ac2ff890b1103dcf43325b8876c5215204fcf7d1fb
AgentTesla
fe443666d12a1f8abc14589390805436e14c0131b9705c38dd425a1f687e8949
AgentTesla
+ 2'931 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210226-8kej3f6sq6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50
MD5 hash:
60c08a798dfec76af8ebab5b019faffc
SHA1 hash:
33ae9c59bfe576e3ff1318d764fdbda05dfa26e2
Link:
https://www.unpac.me/results/23f76a40-f895-425d-b9cc-b76636a69b83/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 45f03427c918d20bf93b9c1ed5c506d873c0a88300e1c3e94b6cc9eb9d9346a7

AgentTesla

Executable exe c15a76e6023a05abd0237937cad3353bc104e97ee19d2fbcd475e1721b330c50

(this sample)

  
Dropped by
MD5 0f320620191075f3d372d2e200e43fb9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/119344/
  
Dropped by
SHA256 45f03427c918d20bf93b9c1ed5c506d873c0a88300e1c3e94b6cc9eb9d9346a7

Comments