MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa
SHA3-384 hash: 0c325cc2636eb87d2b6c950775d44f15d8b2aac94a0faf393a5ad3844324be40faa9f5d0ae2ce5a0b7e43ce3ec09dd79
SHA1 hash: 52320021915f5b9e04010c21ebc3fada9ceb6eac
MD5 hash: 33bc35101f2f216e211468c3a79bcef9
humanhash: fillet-apart-stairway-july
File name:vbc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:945'085 bytes
First seen:2021-11-02 13:31:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 12288:GENN+T5xYrllrU7QY6olc4DMpOd9Y72BFwfFwUjkSPps41o0osbNNVtZ:K5xolYQY66FFI2IfFwrGZ1o0oKNNV7
TLSH T1F215043DA704591BFED6D7FC80D2CC70E1D51DA92AD1DBCA2E8275C41071C8A62E86BE
File icon (PE):PE icon
dhash icon 489669d8d8699669 (1 x AgentTesla, 1 x Neshta, 1 x CryptOne)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-11-02 13:43:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e3a42de-73cc-42c2-b570-0ec03d4c9e32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201456/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
coinminer greyware keylogger overlay packed packed siggen6 swisyn
Link:
https://www.filescan.io/uploads/61813dd41c62c356607f064b/reports/bea3204b-5e73-4888-97cb-af0e75aa0356/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51cdf09e-6c78-49b9-9a36-5a09a9825a8e
Result
Threat name:
CryptOne AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/881326
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Powershell drops PE file
Sigma detected: Interactive AT Job
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513759 Sample: vbc.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 105 Antivirus detection for dropped file 2->105 107 Antivirus / Scanner detection for submitted sample 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 10 other signatures 2->111 11 vbc.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        process3 file4 85 C:\Users\user\Desktop\vbc.exe, PE32 11->85 dropped 87 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->87 dropped 137 Installs a global keyboard hook 11->137 21 icsys.icn.exe 3 11->21         started        25 vbc.exe 3 11->25         started        signatures5 process6 file7 81 C:\Windows\System\explorer.exe, PE32 21->81 dropped 125 Antivirus detection for dropped file 21->125 127 Machine Learning detection for dropped file 21->127 129 Drops PE files with benign system names 21->129 131 Installs a global keyboard hook 21->131 27 explorer.exe 3 16 21->27         started        83 C:\Users\user\AppData\Local\...\vbc.exe .log, ASCII 25->83 dropped 133 Injects a PE file into a foreign processes 25->133 32 vbc.exe 2 25->32         started        34 powershell.exe 16 25->34         started        signatures8 process9 dnsIp10 99 googlecode.l.googleusercontent.com 74.125.206.82, 49775, 49776, 49777 GOOGLEUS United States 27->99 101 192.168.2.1 unknown unknown 27->101 103 5 other IPs or domains 27->103 89 C:\Windows\System\spoolsv.exe, PE32 27->89 dropped 91 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 27->91 dropped 139 Antivirus detection for dropped file 27->139 141 System process connects to network (likely due to code injection or exploit) 27->141 143 Creates an undocumented autostart registry key 27->143 151 2 other signatures 27->151 36 spoolsv.exe 2 27->36         started        145 Installs a global keyboard hook 32->145 40 icsys.icn.exe 32->40         started        42 vbc.exe 2 32->42         started        93 C:\Users\user\AppData\Roaming\...93ewapp.exe, PE32 34->93 dropped 95 C:\Users\user\...95ewapp.exe:Zone.Identifier, ASCII 34->95 dropped 147 Drops PE files to the startup folder 34->147 149 Powershell drops PE file 34->149 44 conhost.exe 34->44         started        file11 signatures12 process13 file14 79 C:\Windows\System\svchost.exe, PE32 36->79 dropped 113 Antivirus detection for dropped file 36->113 115 Machine Learning detection for dropped file 36->115 117 Drops executables to the windows directory (C:\Windows) and starts them 36->117 119 Drops PE files with benign system names 36->119 46 svchost.exe 36->46         started        121 Installs a global keyboard hook 40->121 50 explorer.exe 40->50         started        123 Injects a PE file into a foreign processes 42->123 52 vbc.exe 42->52         started        54 powershell.exe 42->54         started        signatures15 process16 file17 97 C:\Users\user\AppData\Local\stsys.exe, PE32 46->97 dropped 153 Antivirus detection for dropped file 46->153 155 Detected CryptOne packer 46->155 157 Machine Learning detection for dropped file 46->157 161 2 other signatures 46->161 56 spoolsv.exe 46->56         started        59 at.exe 46->59         started        61 at.exe 46->61         started        65 13 other processes 46->65 159 Installs a global keyboard hook 52->159 63 conhost.exe 54->63         started        signatures18 process19 signatures20 135 Installs a global keyboard hook 56->135 67 conhost.exe 59->67         started        69 conhost.exe 61->69         started        71 conhost.exe 65->71         started        73 conhost.exe 65->73         started        75 conhost.exe 65->75         started        77 9 other processes 65->77 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 13:30:29 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/211102-qsyzcscfd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/a2ebb3d7-e05d-41a0-a065-b6c37ae85507/
SH256 hash:
25709fbf01ce2423206204b097315dc7cbf084783d0acc908059bc964fe30eea
MD5 hash:
42009267e6556e861afbe6f4904791ed
SHA1 hash:
5bf052aabb1fbc0403c63407d90dd3d9b8d08a71
Link:
https://www.unpac.me/results/a2ebb3d7-e05d-41a0-a065-b6c37ae85507/
SH256 hash:
7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa
MD5 hash:
33bc35101f2f216e211468c3a79bcef9
SHA1 hash:
52320021915f5b9e04010c21ebc3fada9ceb6eac
Link:
https://www.unpac.me/results/a2ebb3d7-e05d-41a0-a065-b6c37ae85507/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7631235836aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/201456/
  
URLhaus
https://urlhaus.abuse.ch/url/1740711/

Comments