MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578
SHA3-384 hash: ce5833b0d0c25ac9e645572e736eb316ce4fea67d6b2a5ef0000ec33f19511cdb7dc9d79013a7b38cc8d1fac3f699aee
SHA1 hash: 6bcd9a0c584d57d78beffba7a62a01db290cd6e2
MD5 hash: ebf8a4b75aff674689aee8ab5c6c259a
humanhash: quebec-autumn-oscar-beryllium
File name:RankupServicecleaner.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'028'032 bytes
First seen:2026-01-19 21:03:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 88f70fb82598484a7ce88eef6418418b (27 x AsyncRAT, 13 x AgentTesla, 4 x XWorm)
ssdeep 24576:6Hf84r7YFz75ELy9vS9/aOHR+SfEstbokJMxqavDzWLyvt487diDxHp+0:E8a7anKy1S9/aOHRnMUod1vDSLyh7
Threatray 171 similar samples on MalwareBazaar
TLSH T1DD95C07BB122CB6CD0CAC5B824E396F21D307E141AB6524616CE1B5F2EB3D502D5E98F
TrID 59.6% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.0% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter burger
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a335e0a9-296f-41ab-bd51-c673151afa9e/
Malware family:
n/a
ID:
1
File name:
RankupServiceFreeCleaner.lnk
Verdict:
Malicious activity
Analysis date:
2026-01-19 21:01:04 UTC
Tags:
susp-lnk devtunnel rmm-tool loader anti-evasion
Link:
https://app.any.run/tasks/111f9c13-c757-4fb0-8a4d-1ab4cd0ede15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49444/
Detection(s):
SecuriteInfo.com.Dropper.Generic_c.AEO.1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.Troj_Obfusc.Z.gen.Eldorado.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696e9c22f3cf908ba5067c9a
Tags:
vmdetect emotet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm anti-vm bitsadmin dllhost evasive fingerprint lolbin obfuscated packed packed regsvr32 replace
Link:
https://www.filescan.io/uploads/696e9c1e607e8377fadd1c4b/reports/f4f2ac9e-0dba-47b6-9ac6-a6cd9390357d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578
Verdict:
Clean
File Type:
exe x64
First seen:
2026-01-18T08:23:00Z UTC
Last seen:
2026-01-19T22:55:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578/results?tab=lookup
Malware family:
Lenovo
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a620f002-291b-4feb-a24a-2fb5b989846f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1853658
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578
Verdict:
inconclusive
YARA:
7 match(es)
Tags:
.Net Executable PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/ebf8a4b75aff674689aee8ab5c6c259a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54k3zucfowvltzzyjaebyojgsjnd477xyhu5rncbx3qhnsoycv4a._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
55489c3d3a99d1f2af4e5a3607f4f6d8bc5832857ac3787567f1c408eb31ec51
AgentTesla
75aa04510c1947545f192b7838d1ffa868592dbc8ec2739283853a356f6b962b
AgentTesla
7d762632cff476032847ec9e7eaaa403009624e1c1ec87cb92371e84df25945d
AgentTesla
aeb3b9cc647b9852092549fd0d8b227da7ebd15677e16a118cd0c0598992879b
AgentTesla
be2933cd03e4c2aaf273536586bb87f4c3113303e4ec933948e922552930bb87
AgentTesla
dd753f6e5c4286e55706616ea1df3acb92f8798c350b0e3ee2be66066f335bdc
AgentTesla
e97d951d16cf830c8ac014afb27c6b09736527ef963c2eb973f95c2f4bbeadc4
AgentTesla
error
AgentTesla
+ 161 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/260119-zv7hyset8f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Looks for VMWare Tools registry key
Looks for VMWare services registry key.
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/67dc8251-ec5d-4850-944e-fb1073627c17
Unpacked files
SH256 hash:
ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578
MD5 hash:
ebf8a4b75aff674689aee8ab5c6c259a
SHA1 hash:
6bcd9a0c584d57d78beffba7a62a01db290cd6e2
Link:
https://www.unpac.me/results/aeca64ac-a596-400e-94b8-83f541f8094f/
SH256 hash:
48c659c4f9f4309baae1f396c8138ea27e3034a51f06b4434f0eae9d70e3fbbe
MD5 hash:
93ed463d710e91cd7124fe51a102d095
SHA1 hash:
95aaf345290c6a6187104eebad72e653345047ae
Link:
https://www.unpac.me/results/aeca64ac-a596-400e-94b8-83f541f8094f/
SH256 hash:
95349cbb0ce9bd2bb939c04e611750eca5d1ac1b8baa53641c28c147a59dc725
MD5 hash:
95b2c0f892fe4c15ac1d4929bcb54df1
SHA1 hash:
b13abc14da4b7f1c0a8f5aacd98f0c6fb18873fd
Link:
https://www.unpac.me/results/aeca64ac-a596-400e-94b8-83f541f8094f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef15bcd04575/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

Shortcut (lnk) lnk 75aa04510c1947545f192b7838d1ffa868592dbc8ec2739283853a356f6b962b

AgentTesla

Executable exe ef15bcd04575aab9e73848081c3926925a3e7ff7c1e9d8b441bee076c9d81578

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/49444/
  
Dropped by
SHA256 75aa04510c1947545f192b7838d1ffa868592dbc8ec2739283853a356f6b962b
  
Dropped by
MD5 fc4bdf16d737dfa6951485346c0d3fdc
  
URLhaus
https://urlhaus.abuse.ch/url/3760443/
  
Delivery method
Distributed via web download

Comments