MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bfe42139157de0d0c73ccea8bbf24f8368444cfd5bb4b58300d902bbfa48848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	5bfe42139157de0d0c73ccea8bbf24f8368444cfd5bb4b58300d902bbfa48848
SHA3-384 hash:	dc5425c4329a1f177f48403a4ba9ead629a853644827910889ae6a89d0b94504c505dc73cdb2fc6d30ea98a68e95a238
SHA1 hash:	c6adff1321bb62bf47a9265882c91d577b16f47e
MD5 hash:	08750fd649e8084ac1e1db89d96212ee
humanhash:	triple-pluto-fillet-high
File name:	SecuriteInfo.com.Mal.VMProtBad-A.21942.8290
Download:	download sample
File size:	3'052'184 bytes
First seen:	2020-06-08 23:37:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5cdfba68edbb115e7aa5ed6776bb6546 (29 x RedLineStealer, 1 x MassLogger)
ssdeep	49152:0kQTAnZssVEfPPXOlix9wWCBW5FPTmGXpAMG2rUtNQ9H+T:0anZ9EfPPXf/TBTxAkgOoT
Threatray	11 similar samples on MalwareBazaar
TLSH	FAE533257940C031D47A0C7686E6AB3ED626712247B542CFB2FEA37AFE242D5973318D
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Mal.VMProtBad-A.21942.8290.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-06-08 20:14:53 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

42a630cda5266fd03e55bb8621e6d14cf5a6b0abda2426be1a657522c1bbb3a7

484ff6267219f9eb4794c1f20aaa9562a459e0d1a787743592b1532eda3be541

5b113b08d25005c3195b8144e422bdd1a2f866fc3cf9d6bc641f006539e97e07

6057a10b27aebb92f7d961ce23929dc41579f6da1dcbf28572d8c5f0ffac488b

610ef8befe605dd4ba3277c221c25932ffd6e1b939728da70ebd0d1b96fddaa4

8a92e6115a329e47ab36222d86ea3f58f56b0a58b1010d2da280067346f38b21

e9e9a0314ec1302997e3382807436f43a70e0dc2c165aafa6b5b8f3856d04d0d

f0e91f423775ca9ba80077774a4de1a212e890d285bdb587b003d57ba0f68b1c

fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559

+ 1 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan vmprotect

Link:

https://tria.ge/reports/201109-97cgfvp5gx/

Behaviour

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

VMProtect packed file

AgentTesla Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 5bfe42139157de0d0c73ccea8bbf24f8368444cfd5bb4b58300d902bbfa48848

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/384142/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample