MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
SHA3-384 hash: 2543f6d5a67c0208db054dcb401691d02ed67124d8f517768f5da8cd4b152a08c079cc2f75ec806ab1e1d6492b3d2e55
SHA1 hash: 76c281f8deffa691c07d822554d8dcf98fe59c3a
MD5 hash: ec980b2eaacb57ec35da3995f975d283
humanhash: whiskey-ink-video-december
File name:Swift Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:641'536 bytes
First seen:2023-10-03 06:47:23 UTC
Last seen:2023-10-03 07:39:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:oGaG5jfdincG9udbntW3khdcm9SrwAlp0iIjavCyXTSJ3ykVZ/65LqRVNumB0:Br55Cudb03khdch5ImTTUykX/qLqRuy
Threatray 43 similar samples on MalwareBazaar
TLSH T120D4122233C94705E979EB750A27A460563CFB3F1A79D72C1C94A1CB0E32B095BA2F57
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter cocaman
Tags:AgentTesla exe SWIFT

Intelligence

File Origin
# of uploads :
2
# of downloads :
294
Origin country :
CH CH
Vendor Threat Intelligence
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/651bb9239b16696e9f8d9416/reports/80d371c5-429c-4e9f-9d8a-3af345c73d51/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7ae28e31-0ee5-48b5-9d99-e29c91741f79
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1318486
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1318486 Sample: Swift_Copy.exe Startdate: 03/10/2023 Architecture: WINDOWS Score: 92 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected FormBook 2->32 34 3 other signatures 2->34 9 Swift_Copy.exe 3 2->9         started        process3 signatures4 40 Injects a PE file into a foreign processes 9->40 12 Swift_Copy.exe 9->12         started        15 Swift_Copy.exe 9->15         started        17 Swift_Copy.exe 9->17         started        process5 signatures6 42 Maps a DLL or memory area into another process 12->42 44 Queues an APC in another process (thread injection) 12->44 19 eluBRpKcJAcbyYF.exe 12->19 injected process7 process8 21 colorcpl.exe 19->21         started        signatures9 36 Deletes itself after installation 21->36 38 Maps a DLL or memory area into another process 21->38 24 explorer.exe 1 21->24 injected 26 eluBRpKcJAcbyYF.exe 21->26 injected process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d/
Threat name:
ByteCode-MSIL.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-10-02 08:44:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vgbl2s5umtxz2ooprbefw43pyjerlgh73jlqs7g3vgzvovc5ewq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
01b15d113f147c931149f8d1c883bbad3c3752cba08a96855774d21a3bb6e44a
AgentTesla
1ef0585dccde8a7c1fac3374d6d4db5abc92a24920f76b9063cfb1e5baa4f711
AgentTesla
457b41f6e8645142562a0cc19dfc477ac19b9f39be9dcafa631f8fbf5c1ad34b
AgentTesla
53f8211db510203634da93d5f2616ead5784031d1fd9d1ad245e25719fa974a9
AgentTesla
5452d5591e734d9e447e2daac94374327b1f81fd48c111b139f0bda6ffad2fc5
AgentTesla
582b83da6cb0374b90790106f9e4b8a046e9d0b24cbd725c2be985c8c0a149bf
AgentTesla
8132806c05668768f28af83ccb49438520dcb0ece18326db9698623152f35018
AgentTesla
9217a7e79dca986484385b4ee00bf379b1c2b5536f0b388246cb4e39209f8601
AgentTesla
becae35d75141130a7aedcba04c2161c38b3664e82dbdca5ba6a595db6c36789
AgentTesla
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231003-hkrlbaaf73/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
7a87c4120d0fcc4f596b3fcb3f17335b06543ca35b018552b5fd37bb646ac955
MD5 hash:
4380e760eefe417996065312240326b7
SHA1 hash:
4e7cd702276c13e0572dfeacade5fa4023fb3900
Detections:
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
08372fb70ef35b9be3971632f048e1d3f6a476e2249ac7975850f1228a08719f
MD5 hash:
4f8efcbc6acbb9d8e642b4132ec6d9fb
SHA1 hash:
aea948f4f18ca129bca6a9d8596870364a34fa57
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
d60dec072f893a5f398ba30e3a15cb61570cb724c19751afeb2c4c659b59622a
MD5 hash:
8c865d459cbe885b9611d339deb8d457
SHA1 hash:
de13418769a5c9a2cc0050abebc928dfa7b789f1
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
f8e98963b46fc8898797c5921477f6e27ce9f14e510ebf1f1884fd0b7cffbdba
MD5 hash:
25269a9213a12e899e4856a3ee61b2b6
SHA1 hash:
c05a51e3c53fad4f530504204dee402b4cb18a94
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
513d832b6414ca92f71ea7abb910113140519f343c8fee079825d19bec37cae6
MD5 hash:
128feef2cd97a2ee0d369655ab39f214
SHA1 hash:
90d82fff31ca1510bdc670c400faa2893c918341
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
3fd0bedc0411d2ef09bb38f50a70888b9db436aa3f1a3f6340b3957a8bf1cef3
MD5 hash:
f7e3ee72e28761ebde68a3d0e2aeea6f
SHA1 hash:
102da2e7659210602f3ccfbb7768d8478428a565
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
7c181e6d369d846d3e6b83b848909de368f32538731b6fd82f1db34e719f9ee1
MD5 hash:
8ce4fbd28d6c665c43bb3900d7e7c5e5
SHA1 hash:
4157807b7b7df89c8cd0bcf7f833224080902126
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
77637373f65888db4769526a11df094b0836526f4c3d0925d814760271335f3a
MD5 hash:
72ca418a79e9e39e84e5174628f08f61
SHA1 hash:
f4f20217a2a72bae6d6e4e96047c11cbceee7863
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
d81102612da12926635045b23b7983e38e384e3e297ca389f30b52787395ac5a
MD5 hash:
da5cdb072fe0d98fb3c99acd19cb1535
SHA1 hash:
c629f0cc4eaf6fcb359e94a3d5728459555b6b30
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
02f850345e7527659c67f488c06bf58d147c38caf03c0a1332e9f00708a6dc48
MD5 hash:
98368e0b570a685f39dc2034aebd23d6
SHA1 hash:
9b15d6550d8de6864417930139cd9432aa20b159
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
1e747104cb6bf6c93fdf302e995cee0d9f3293f8da1da4a0af2fff0157878164
MD5 hash:
c4d8ad4805eb7eb68234baddbe359e0d
SHA1 hash:
5c69eafc6e9b0cce9dc991f0646b4b5ee897ed8a
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
898d522f6649276076b2064dac2089b1d4201a18335d641f8d02404d9b5e0c57
MD5 hash:
577c525d08acbf7453f14f9d97c46793
SHA1 hash:
0f192debb96a4347b6eac08aaa7c0c6e8b81bf24
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
c611c340765c927d5be031aaab3d530667ded2da9dfe14f561a07e949e5f32b0
MD5 hash:
12a37d220b2455220d48e73e7746f94e
SHA1 hash:
0cad0609a8ba6823812300b999a6f71b6fce0c9d
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
SH256 hash:
e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d
MD5 hash:
ec980b2eaacb57ec35da3995f975d283
SHA1 hash:
76c281f8deffa691c07d822554d8dcf98fe59c3a
Link:
https://www.unpac.me/results/7ffa2d4b-0393-46a1-9acb-8e4ffc5b404c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e54c15ea5da3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 662e508593a21882b6def763f941345fb7aafabfd87394176c66baf8ead79bde

AgentTesla

Executable exe e54c15ea5da3277ce9ce7c4242db9b7e1248acc7fed2b84be6dd4d9abaa2e92d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 662e508593a21882b6def763f941345fb7aafabfd87394176c66baf8ead79bde
  
Dropped by
MD5 607991fe610137de739ecac924bc8336

Comments