MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088
SHA3-384 hash: 1fe1be2c587c1fe36fdc0db00de91923958e9dd1cc67762022629bd5e805aedd4aeb340e0b74f02ddcde6956ea4a0994
SHA1 hash: b02d2380cfa7ec7020345b11083b6848d1786e61
MD5 hash: d60058b3b4c104c433081121a7357cd8
humanhash: illinois-echo-artist-cold
File name:HighRiGGold9Batch.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'454'880 bytes
First seen:2020-10-01 20:05:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c264189921b6e4832d60e2681cf4094 (2 x AgentTesla)
ssdeep 24576:5SW6SIhZbWsv+6szFB8hxeZwS5j6v3PSgQ8I2dNh7P7Y823HYvXXQgmv:59aMfHDZw/ffxdHzY3HinNC
TLSH 3965AE17DEE0447EC23B3DB6680612749427EE38EF2CA446B6F2FF045A356632D9E152
Reporter James_inthe_box
Tags:AgentTesla exe

Code Signing Certificate

Organisation:www.norton.com
Issuer:DigiCert SHA2 Extended Validation Server CA
Algorithm:sha256WithRSAEncryption
Valid from:Sep 16 00:00:00 2020 GMT
Valid to:May 19 12:00:00 2021 GMT
Serial number: 0CA1D9391CF5FE3E696831D98D6C35A6
Thumbprint Algorithm:SHA256
Thumbprint: 9A235769A960AB72FA45E22D92B53F490DC61F8EC48B44A7566913EEE07CE532
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67534/
Detection(s):
Win.Malware.Generic-9770145-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Orcus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/479725
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to disable the Task Manager (.Net Source)
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Csc.exe Source File Folder
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Orcus RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292302 Sample: HighRiGGold9Batch.exe Startdate: 01/10/2020 Architecture: WINDOWS Score: 100 97 Multi AV Scanner detection for domain / URL 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for dropped file 2->101 103 11 other signatures 2->103 12 HighRiGGold9Batch.exe 2->12         started        15 wscript.exe 1 2->15         started        process3 signatures4 121 Writes to foreign memory regions 12->121 123 Allocates memory in foreign processes 12->123 125 Queues an APC in another process (thread injection) 12->125 127 Contains functionality to detect sleep reduction / modifications 12->127 17 notepad.exe 5 12->17         started        21 GvFndnBatchX2.exe 15->21         started        process5 file6 73 C:\Users\user\AppData\...behaviorgraphvFndnBatchX2.exe, PE32 17->73 dropped 75 C:\Users\user\AppData\...behaviorgraphvFndnBatchX2.vbs, ASCII 17->75 dropped 77 C:\...behaviorgraphvFndnBatchX2.exe:Zone.Identifier, ASCII 17->77 dropped 105 Creates files in alternative data streams (ADS) 17->105 107 Drops VBS files to the startup folder 17->107 23 GvFndnBatchX2.exe 17->23         started        109 Maps a DLL or memory area into another process 21->109 26 GvFndnBatchX2.exe 21->26         started        28 GvFndnBatchX2.exe 11 21->28         started        signatures7 process8 signatures9 111 Multi AV Scanner detection for dropped file 23->111 113 Detected unpacking (changes PE section rights) 23->113 115 Detected unpacking (creates a PE file in dynamic memory) 23->115 117 3 other signatures 23->117 30 GvFndnBatchX2.exe 12 23->30         started        35 GvFndnBatchX2.exe 23->35         started        37 GvFndnBatchX2.exe 26->37         started        39 csc.exe 28->39         started        process10 dnsIp11 89 dailyupdates.theworkpc.com 185.244.30.148, 49735, 49736, 49737 DAVID_CRAIGGG Netherlands 30->89 91 192.168.2.1 unknown unknown 30->91 85 C:\Users\user\AppData\...\0ndmbxrl.cmdline, UTF-8 30->85 dropped 93 Installs a global keyboard hook 30->93 41 csc.exe 3 30->41         started        95 Maps a DLL or memory area into another process 37->95 44 GvFndnBatchX2.exe 37->44         started        46 GvFndnBatchX2.exe 37->46         started        87 C:\Users\user\AppData\Local\...\8fx7k_zm.dll, PE32 39->87 dropped 48 conhost.exe 39->48         started        50 cvtres.exe 39->50         started        file12 signatures13 process14 file15 81 C:\Users\user\AppData\Local\...\0ndmbxrl.dll, PE32 41->81 dropped 52 conhost.exe 41->52         started        54 cvtres.exe 1 41->54         started        56 GvFndnBatchX2.exe 44->56         started        59 csc.exe 46->59         started        process16 file17 119 Maps a DLL or memory area into another process 56->119 62 GvFndnBatchX2.exe 56->62         started        64 GvFndnBatchX2.exe 56->64         started        83 C:\Users\user\AppData\Local\...\tevfx1mm.dll, PE32 59->83 dropped 66 conhost.exe 59->66         started        68 cvtres.exe 59->68         started        signatures18 process19 process20 70 csc.exe 62->70         started        file21 79 C:\Users\user\AppData\Local\...\kvyph-12.dll, PE32 70->79 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 20:05:01 UTC
File Type:
PE (Exe)
Extracted files:
50
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j67gmhgcqzdoxnm6dnxjg2pnobivbrp2lsu4aajvt7vmigs7mcea._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201001-txr16b42bn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
JavaScript code in executable
Drops desktop.ini file(s)
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088
MD5 hash:
d60058b3b4c104c433081121a7357cd8
SHA1 hash:
b02d2380cfa7ec7020345b11083b6848d1786e61
Link:
https://www.unpac.me/results/77ad7064-0e83-4c09-a0fd-fda40639d8db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fbe661cc28646ebb59e1b6e9369ed705150c5fa5ca9c001359feac41a5f6088

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MAL_BackNet_Nov18_1
Create hunting rule
Author:Florian Roth
Description:Detects BackNet samples
Reference:https://github.com/valsov/BackNet

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/67534/

Comments