MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
SHA3-384 hash: cbb277bf12eebafa80742f422334467670daaa184b6aa586c98b62de86291ecf3f8da2e4fe8d8cda1b0c5a4c20f38525
SHA1 hash: 605dd6dc64b7098a5ade3e27ba03b2f9dd70642e
MD5 hash: 13ccdad4e9ae6c06158edc7f52ae761d
humanhash: sierra-sierra-berlin-massachusetts
File name:Balance payment..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'856'000 bytes
First seen:2021-04-03 18:05:06 UTC
Last seen:2021-04-06 04:12:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (82 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 24576:WnsJ39LyjbJkQFMhmC+6GD93gkU6eUKJq3qYRwL+i6DKYBHl06w+HN:WnsHyjtk2MYC5GD1U6eUKMzTKYBFVt
Threatray 172 similar samples on MalwareBazaar
TLSH 6B85AD29728071BFC427C936CC681E54EA71B9761B1BD60B71A71A9C9E2D683DF201F3
Reporter TeamDreier
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Balance payment..exe
Verdict:
Malicious activity
Analysis date:
2021-04-03 18:07:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7bf009a2-aee0-4a98-8139-c83b18a1f8c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132023/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.623-1.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Deleting a recently created file
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86c9bc0f-3e33-45e1-b47d-44c4b383b6e9
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
expl.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665171
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to hide user accounts
Creates HTML files with .exe extension (expired dropper behavior)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 381510 Sample: Balance payment..exe Startdate: 03/04/2021 Architecture: WINDOWS Score: 100 61 smtp.arles-cz.co 2->61 63 us2.smtp.mailhostbox.com 2->63 73 Multi AV Scanner detection for domain / URL 2->73 75 Found malware configuration 2->75 77 Antivirus detection for dropped file 2->77 79 20 other signatures 2->79 9 Balance payment..exe 1 6 2->9         started        12 EXCEL.EXE 24 20 2->12         started        16 Synaptics.exe 2->16         started        signatures3 process4 dnsIp5 53 C:\Users\...\._cache_Balance payment..exe, PE32 9->53 dropped 55 C:\ProgramData\Synaptics\Synaptics.exe, PE32 9->55 dropped 57 C:\ProgramData\Synaptics\RCXA17C.tmp, PE32 9->57 dropped 59 C:\...\Synaptics.exe:Zone.Identifier, ASCII 9->59 dropped 18 Synaptics.exe 56 9->18         started        23 ._cache_Balance payment..exe 6 9->23         started        71 192.168.2.1 unknown unknown 12->71 91 Injects files into Windows application 12->91 file6 signatures7 process8 dnsIp9 65 xred.site50.net 153.92.0.100, 49773, 49774, 49792 AWEXUS Germany 18->65 67 googlehosted.l.googleusercontent.com 172.217.23.33, 443, 49730, 49731 GOOGLEUS United States 18->67 69 16 other IPs or domains 18->69 43 C:\Users\user\Documents\KZWFNRXYKI\~$cache1, PE32 18->43 dropped 45 C:\Users\user\AppData\Local\...\rPGMNyFy.xlsm, Microsoft 18->45 dropped 81 Antivirus detection for dropped file 18->81 83 Multi AV Scanner detection for dropped file 18->83 85 Drops PE files to the document folder of the user 18->85 89 3 other signatures 18->89 25 WerFault.exe 18->25         started        47 C:\Users\user\AppData\...\QQFOJfrBJjkN.exe, PE32 23->47 dropped 49 C:\Users\user\AppData\Local\...\tmp839A.tmp, XML 23->49 dropped 51 C:\Users\...\._cache_Balance payment..exe.log, ASCII 23->51 dropped 87 Adds a directory exclusion to Windows Defender 23->87 27 powershell.exe 26 23->27         started        29 powershell.exe 23->29         started        31 schtasks.exe 23->31         started        33 2 other processes 23->33 file10 signatures11 process12 process13 35 conhost.exe 27->35         started        37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        41 conhost.exe 33->41         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-04-03 18:06:06 UTC
AV detection:
40 of 43 (93.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6sumiwq2x22xpxmpzru23bnq2eyj2gpwifykatvpqw7r7uu67dq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
Similar samples:
0206919af0add6cabd8ee38f1dc151c65630f204c63d4c145105c52f67c23de2
AgentTesla
1e89ff960f161816b8b30fa8a1c75401cc3b9a7554c99cf9dda142712dd81e54
AgentTesla
216e8e00460546e458bf68018a257bb6421ee4dd3f312fcf7125368dbc40313d
AgentTesla
2352a7cd00ed5221c4b807670ca01f49f76beb5dea868d8db38b1fcc0e362c18
AgentTesla
277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
AgentTesla
3ecb471f2c1a3d3f33dbe47bc9457adfb09206948ec16c2d3f9c9a29f5b44508
AgentTesla
8c1003903aca600a1baf242dc981c2d7ef79a95890cf2bb1a057fa6fea2822a0
AgentTesla
b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057
AgentTesla
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
AgentTesla
fd1b80b0afe3eb7f567268b2ddb4f022a9ac086d78e836605f378ac63630bc22
AgentTesla
+ 162 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger macro persistence spyware stealer trojan
Link:
https://tria.ge/reports/210403-gd1cyz5frs/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Suspicious Office macro
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/b986a9a2-0819-4f99-a8d6-f78fcca32b77/
SH256 hash:
d4055fef8f5c4e218fcd970c87285d80b533f8d5cad1ae828bc6a38849dc210c
MD5 hash:
95ee9fcf56b9ce1e66d3c36b80e23d53
SHA1 hash:
c34727354061462caf0cf030057483158e34c113
Link:
https://www.unpac.me/results/b986a9a2-0819-4f99-a8d6-f78fcca32b77/
SH256 hash:
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
MD5 hash:
13ccdad4e9ae6c06158edc7f52ae761d
SHA1 hash:
605dd6dc64b7098a5ade3e27ba03b2f9dd70642e
Link:
https://www.unpac.me/results/b986a9a2-0819-4f99-a8d6-f78fcca32b77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132023/

Comments