MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
SHA3-384 hash: b31b3da16f7903640db2c0214e6be47474212b6e8a73b9512515e7e41753eab36d0b16dfbbcd03b943b3913c23019994
SHA1 hash: e58ce65abb2e842c50f639a172bea354f3953ece
MD5 hash: 3c5195e38df6db40226a1eef5c373ef3
humanhash: monkey-oscar-batman-mango
File name:HSBC Payment_Advise_Pdf_________.exe
Download: download sample
Signature NanoCore
Create hunting rule
File size:411'920 bytes
First seen:2020-09-28 13:48:09 UTC
Last seen:2020-09-28 14:46:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:aAxXBpoeDTcsmJw/PAuBhQfgy4hnd9wDbgkHt9OEOvP:aAK8Tyy/TWfgyA9wngkH7ObP
Threatray 195 similar samples on MalwareBazaar
TLSH E5949DAA7785EAB1E7BD6E30440214D30251BEC10FC751896FED3E5B59F28810D9BAE3
Reporter James_inthe_box
Tags:exe NanoCore

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.276.12854.31315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476447
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 290686 Sample: HSBC Payment_Advise_Pdf____... Startdate: 28/09/2020 Architecture: WINDOWS Score: 100 65 mail.bahsabiest.com 2->65 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Antivirus detection for dropped file 2->71 73 8 other signatures 2->73 9 HSBC Payment_Advise_Pdf_________.exe 12 2->9         started        13 ExQTKw.exe 2->13         started        15 ExQTKw.exe 2->15         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\tmp.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\name.exe.lnk, MS 9->57 dropped 59 2 other malicious files 9->59 dropped 83 Writes to foreign memory regions 9->83 85 Allocates memory in foreign processes 9->85 87 Injects a PE file into a foreign processes 9->87 17 tmp.exe 2 4 9->17         started        22 cmd.exe 1 9->22         started        24 cmd.exe 3 9->24         started        26 4 other processes 9->26 89 Antivirus detection for dropped file 13->89 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->91 93 Machine Learning detection for dropped file 13->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->95 signatures6 process7 dnsIp8 61 mail.bahsabiest.com 185.141.190.67, 49755, 49758, 587 A2HOSTINGUS United States 17->61 47 C:\Users\user\AppData\Roaming\...xQTKw.exe, PE32 17->47 dropped 75 Antivirus detection for dropped file 17->75 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->77 79 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->79 81 6 other signatures 17->81 28 reg.exe 1 1 22->28         started        31 conhost.exe 22->31         started        49 C:\Users\user\AppData\Roaming\...\name.exe, PE32 24->49 dropped 33 conhost.exe 24->33         started        63 192.168.2.1 unknown unknown 26->63 51 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 26->51 dropped 35 iexplore.exe 12 84 26->35         started        37 conhost.exe 26->37         started        39 conhost.exe 26->39         started        41 2 other processes 26->41 file9 signatures10 process11 signatures12 97 Creates an undocumented autostart registry key 28->97 43 iexplore.exe 65 35->43         started        45 iexplore.exe 35->45         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-27 23:35:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxq7q3phw2pu5lbugdcjov5vwemqlxwwrwngy7i6zjdpqye5wsqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19b7ae6956a38825ac143952843f6e046c642a9dc635e18d4f84dcff4568c142
NanoCore
292593bea6386f07e2349a1df9d7eb04ab845d51368605b0c63825e6fffbb120
NanoCore
7a5cf1b0f0b115b160a48992609c57b8f9c4591a736ffc052549b2f1e91e2eb7
NanoCore
8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90
NanoCore
b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
NanoCore
c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
NanoCore
c6a9e6b49e72daeffbffe9c46f56b5147d1885ff0b2c202558d794c258b71818
NanoCore
c9692914eb11d2c1cfb26bae5877943c1769994f857f0aa85b8c8f5064a2f042
NanoCore
d3345db33851543b968f728d2a342c49dc72b0dc633da851518d8585e53af3ce
NanoCore
e03c4f9c8ae0b28a7538315c3af97428339911bd6118371c0459adfd14abca44
NanoCore
+ 185 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200928-61e5vrk7ze/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
MD5 hash:
3c5195e38df6db40226a1eef5c373ef3
SHA1 hash:
e58ce65abb2e842c50f639a172bea354f3953ece
Link:
https://www.unpac.me/results/f4018d03-cd00-4c0c-9ef6-a9a916691c50/
SH256 hash:
d75fdbc6326a1f4fe25da53ce9ea5235e4496a888b560cd8d55934339f599326
MD5 hash:
203d636f64a53a60fc32be9f776569e3
SHA1 hash:
c173ccb83b0a9e3360771ad1289b34746469fcb1
Link:
https://www.unpac.me/results/f4018d03-cd00-4c0c-9ef6-a9a916691c50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RevengeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/66433/

Comments