MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
SHA3-384 hash: 792042592bd7afc336d390ffc0d8e6e4b384d9d48db90e93e3119e70cc66edf424dff03836c66587f697de63b534cde4
SHA1 hash: 7d89c0afae3556c07d885bd6de630879e87aac08
MD5 hash: 7e4e387381eb7eff16c3a6af019173ee
humanhash: winter-earth-washington-stairway
File name:requirement-2021.exe
Download: download sample
Signature DarkComet
Create hunting rule
File size:1'517'568 bytes
First seen:2021-06-25 06:15:33 UTC
Last seen:2021-06-25 06:52:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:hnzhEp1PernaSqDGZWw/gnX5sPJRHnHWvu+XC3o6bn7exOzb4Sacmp:9zbrnBqpX5sPJKu24Lb7pzb4v
Threatray 6'140 similar samples on MalwareBazaar
TLSH 4F6502303AFA9819F277BF35DED86095CABEF6633603D96D6895138A4503B02DD814BC
Reporter lowmal3
Tags:DarkComet exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
849
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
requirement-2021.exe
Verdict:
Malicious activity
Analysis date:
2021-06-25 06:19:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47fecfe9-fd83-4921-ae18-8c60924d78ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168225/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.18576.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Win32.Save.a.20126.3238.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3cb0b70c-9c09-4cd2-8ecb-ec097221cbcd
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807927
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Drops PE files to the document folder of the user
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 440338 Sample: requirement-2021.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 76 prda.aadg.msidentity.com 2->76 78 freedns.afraid.org 2->78 82 Found malware configuration 2->82 84 Antivirus detection for dropped file 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 8 other signatures 2->88 10 requirement-2021.exe 7 2->10         started        14 Synaptics.exe 4 2->14         started        16 EXCEL.EXE 2->16         started        signatures3 process4 dnsIp5 66 C:\Users\user\AppData\Roaming\KDnQCQb.exe, PE32 10->66 dropped 68 C:\Users\user\...\KDnQCQb.exe:Zone.Identifier, ASCII 10->68 dropped 70 C:\Users\user\AppData\Local\...\tmpD946.tmp, XML 10->70 dropped 72 C:\Users\user\...\requirement-2021.exe.log, ASCII 10->72 dropped 90 Machine Learning detection for dropped file 10->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 10->92 94 Injects a PE file into a foreign processes 10->94 19 requirement-2021.exe 1 5 10->19         started        22 schtasks.exe 1 10->22         started        24 Synaptics.exe 14->24         started        26 schtasks.exe 14->26         started        74 192.168.2.1 unknown unknown 16->74 file6 signatures7 process8 file9 50 C:\Users\...\._cache_requirement-2021.exe, PE32 19->50 dropped 52 C:\ProgramData\Synaptics\Synaptics.exe, PE32 19->52 dropped 54 C:\...\Synaptics.exe:Zone.Identifier, ASCII 19->54 dropped 28 Synaptics.exe 5 19->28         started        31 ._cache_requirement-2021.exe 2 19->31         started        33 conhost.exe 22->33         started        56 C:\ProgramData\...\._cache_Synaptics.exe, PE32 24->56 dropped 35 ._cache_Synaptics.exe 24->35         started        37 conhost.exe 26->37         started        process10 signatures11 96 Multi AV Scanner detection for dropped file 28->96 98 Drops PE files to the document folder of the user 28->98 100 Machine Learning detection for dropped file 28->100 102 Injects a PE file into a foreign processes 28->102 39 Synaptics.exe 28->39         started        43 schtasks.exe 28->43         started        104 Antivirus detection for dropped file 31->104 106 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->106 108 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->108 process12 dnsIp13 80 xred.mooo.com 39->80 58 C:\Users\user\Documents\BJZFPPWAPT\~$cache1, PE32 39->58 dropped 60 C:\Users\user\Desktop\requirement-2021.exe, PE32 39->60 dropped 62 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 39->62 dropped 64 4 other malicious files 39->64 dropped 45 ._cache_Synaptics.exe 39->45         started        48 conhost.exe 43->48         started        file14 process15 signatures16 110 Antivirus detection for dropped file 45->110 112 Multi AV Scanner detection for dropped file 45->112 114 Machine Learning detection for dropped file 45->114
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 06:16:19 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jznn2ed6qoqhhpmxw6kubh2buhqndmtlr27mvy4pfypyawum3xta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1109e9c4a8dceb63160c59807b81adc6d4e82c28529c80bd1ff80993dc906508
DarkComet
1c4cbe5a3adfa0a596eabff32c6a43fe2f5fc2be1dcf71bddbd0c1200d7451a8
DarkComet
2df39e2f69745aac9cda8985b6d07deca0957a43db332e61fa080bd62b30bcb4
DarkComet
769ac374cd86dc2766ef985d8a462247c4b1aaef61e3d935fa8c021adb923d52
DarkComet
82974999943578ea16bc86bc5e87c7a6122e24593a9adc2f069f81be85ed79cd
DarkComet
8b345f73d84e6fc765d7907aaa33d844ef2c180024baeaa53ff895bab8e19356
DarkComet
9a9f7ea8a021b5c4e7984076bfe6f0ab42bddb7b50fa18ef0da17c12e8ef95e1
DarkComet
b5aeb6d277320df561d9bb77a95e976c5527c17441292ec7b5bafc441fe746d0
DarkComet
df5e40d1e917f0bd4c424f65c8e2557d094f5eff22b4ba6f63f093333ebbb8a9
DarkComet
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
DarkComet
+ 6'130 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210625-w7r9t6x9v6/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/136afb66-5357-47a8-a301-f1e32a445ed6/
SH256 hash:
0f0fd02c85f22b6a081fe8ede47bfbd86486ad87fbe17ccc99ae032bdbd8c674
MD5 hash:
ae355079acc3539e140ac961071f2fb3
SHA1 hash:
edd7ee3f2df7f1fff337be19f4b2a8904cb6f4dc
Link:
https://www.unpac.me/results/136afb66-5357-47a8-a301-f1e32a445ed6/
SH256 hash:
1e3bfc17e24b3f33bb35be0e931fc324267c3db1525d9f2aa2f15ba93464f1d0
MD5 hash:
acb6366b638631ef80b16ada6357ee01
SHA1 hash:
e6932cf3c5e2a1caca4a462bbf239eb31d5e3f7a
Link:
https://www.unpac.me/results/136afb66-5357-47a8-a301-f1e32a445ed6/
SH256 hash:
172a6538c93c6294262445c3d5fc98a941ae83c521b21ad66c6b8a6b89274bd6
MD5 hash:
f75da3e60b30692d6cdd21119fad1d30
SHA1 hash:
dc9c86331f83e0850fb651bf7c2494cc58d1221d
Link:
https://www.unpac.me/results/136afb66-5357-47a8-a301-f1e32a445ed6/
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/136afb66-5357-47a8-a301-f1e32a445ed6/
SH256 hash:
4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
MD5 hash:
7e4e387381eb7eff16c3a6af019173ee
SHA1 hash:
7d89c0afae3556c07d885bd6de630879e87aac08
Link:
https://www.unpac.me/results/136afb66-5357-47a8-a301-f1e32a445ed6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkComet

Executable exe 4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/168225/

Comments