MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42
SHA3-384 hash: 28613d89a8dfe472f7c0acfb5d3d8bfa1684ee7bacd6abcc2efe2d63e27863c80764e6b91b18c13c290e430af2a68012
SHA1 hash: 68a3c070c85e2eee61a93bd5ac4680f5600f9140
MD5 hash: 4728201d275f72fcf418bc1eb2c6faac
humanhash: blue-nitrogen-happy-king
File name:Revised P.I Officina_images.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:378'368 bytes
First seen:2020-07-22 06:13:09 UTC
Last seen:2020-07-22 07:14:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:71UT1ZJkml7jKg2l97dLhkyZ3TcXvy+INMORh3LyTJKbncZ:71s/l7jq91kw3oXK+EMQQ
Threatray 10'762 similar samples on MalwareBazaar
TLSH 9A84CF4E37919931C5ACA6BAE8D72722C77861931F01EF4F0AD858E919E33C3758278D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.example.com
Sending IP: 103.147.184.169
From: Glamour Textile Mills Ltd <info@glamourtextiles.com>
Subject: FW: Revised P.I Officina 14-07-2020
Attachment: Revised P.I Officina_images.rar (contains "Revised P.I Officina_images.exe")

AgentTesla SMTP exfil server:
smtp.office365.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30738/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52273.2098.7684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun with Startup directory
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394334
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249546 Sample: Revised P.I Officina_images.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 81 Antivirus detection for dropped file 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 7 other signatures 2->87 13 Revised P.I Officina_images.exe 4 2->13         started        17 inquiry.exe 2 2->17         started        19 inquiry.exe 2->19         started        process3 file4 73 C:\Users\user\Revised, PE32 13->73 dropped 75 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 13->75 dropped 77 C:\Users\user\Revised:Zone.Identifier, ASCII 13->77 dropped 109 Maps a DLL or memory area into another process 13->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->111 21 Revised P.I Officina_images.exe 1 13->21         started        24 RegAsm.exe 13->24         started        26 RegAsm.exe 2 4 13->26         started        28 conhost.exe 17->28         started        30 conhost.exe 19->30         started        signatures5 process6 signatures7 93 Maps a DLL or memory area into another process 21->93 32 Revised P.I Officina_images.exe 1 21->32         started        35 RegAsm.exe 2 21->35         started        37 RegAsm.exe 21->37         started        95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->99 process8 signatures9 79 Maps a DLL or memory area into another process 32->79 39 Revised P.I Officina_images.exe 32->39         started        42 RegAsm.exe 3 32->42         started        44 RegAsm.exe 32->44         started        process10 signatures11 101 Maps a DLL or memory area into another process 39->101 46 Revised P.I Officina_images.exe 39->46         started        49 RegAsm.exe 39->49         started        103 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->103 process12 signatures13 113 Maps a DLL or memory area into another process 46->113 51 Revised P.I Officina_images.exe 46->51         started        54 RegAsm.exe 46->54         started        115 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->115 process14 signatures15 89 Maps a DLL or memory area into another process 51->89 56 Revised P.I Officina_images.exe 51->56         started        59 RegAsm.exe 51->59         started        91 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->91 process16 file17 105 Maps a DLL or memory area into another process 56->105 62 Revised P.I Officina_images.exe 56->62         started        65 RegAsm.exe 56->65         started        71 C:\Users\user\AppData\Roaming\...\inquiry.exe, PE32 59->71 dropped 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->107 signatures18 process19 signatures20 117 Maps a DLL or memory area into another process 62->117 67 RegAsm.exe 62->67         started        69 RegAsm.exe 62->69         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 06:15:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6fovqdgb4cyxa4hx7zemxdmkmalx4tuendk3l4qarzv6lq5ilnba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05f08d66b6f118c60851b9b3a9f86eb9db05955af1bb2b6bbdd9b5308972b3b3
AgentTesla
1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd
AgentTesla
1eeb2016c83b430e5e444f7dade67a84d441061180087ac57eb8f89d196d4773
AgentTesla
30fe842b10902c8ef83f5de74a6ad0987b391a318f4254ab5a276ab89175b28d
AgentTesla
39c515aecf42295136801c4a1a847d80bc8269ad5cf20c512af98a020cd7a699
AgentTesla
54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9
AgentTesla
558b8c8aefc1c9d95edc73a36381ce4a4f1a3de33208dad867d8b74d9d20aa3b
AgentTesla
93c807a2fb8dff5a30d9f860f1eb98304d8303f8fff4c53c98870201d6d3eb68
AgentTesla
9bcfc07b259ef80e8e639dce55ae194b5bfd74902d825de9cef183035c8ca2c1
AgentTesla
c2d6a58ae4cc93b225f512a127c751c63398d0fdb7f847b77c83cad6cb79e6bd
AgentTesla
+ 10'752 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/200722-75ndvyhszn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Drops startup file
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ebe3749f3d5becb6fec267735ebf26f57901f1ad4727110f8905607322810b13

AgentTesla

Executable exe f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42

(this sample)

  
Dropped by
MD5 2e4f4b3054ef799218c37f6dcf19a47b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ebe3749f3d5becb6fec267735ebf26f57901f1ad4727110f8905607322810b13
Cape
Cape
https://www.capesandbox.com/analysis/30738/

Comments