MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad9ce2c06fa6d4d7aec28f88efb62d16f29904de627eb08f10023803365c0327. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad9ce2c06fa6d4d7aec28f88efb62d16f29904de627eb08f10023803365c0327
SHA3-384 hash: 5d6f8b7dcd6ded64069df7226e178aa8ecbe142ecef275396c5987dbbd8f0176e5b0020a9ec250e1eb7a84cc6016fb2d
SHA1 hash: 5dc7c6a4a29d519d68f69dc9e5f1b131ebbc0e49
MD5 hash: 3a674e970ad5a7b77bb1465d4a858be3
humanhash: tango-arkansas-montana-island
File name:vbc.exe
Download: download sample
File size:950'272 bytes
First seen:2022-10-12 14:46:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GYeQp/eOh5u8MhBTIaNt3Ea5yKHQ+1nIpeyS9aBk/d6A2eeCcrV3u2xHqFfA:GYi6iTIGN0KHQ+1uJKail6A2pCcrY
Threatray 1'958 similar samples on MalwareBazaar
TLSH T19E156BBA2192514FD8167131C8C7DAF32AFB6D607116D1C796D32F6FBC480BF9A12292
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0c4c4a4c4cb4b4b4 (26 x SnakeKeylogger, 9 x Formbook, 5 x AgentTesla)
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319421/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1620.18249.28418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6346d3669162672e63eecf45/reports/f4ac7607-e992-4888-b762-97e6fa5c0cb5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d5fe5658-2f33-4bfd-9623-d423e481c06c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1088887
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad9ce2c06fa6d4d7aec28f88efb62d16f29904de627eb08f10023803365c0327/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-12 14:44:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwoofqdpu3knplwcr6eo7nrnc3zjsbg6mj7lbdyqai4agns4amtq._file
Verdict:
malicious
Similar samples:
5260cdeaf4465a57fe46cd497f2c668b73ba985f6ac8f58da0a271dfa9513765
5f35ca42912431ff5592f1a2913e4136a888fc9c04f1655a2c52998a5d2161ac
672dfe85ece65a72aab50b726b15e61ae7b562f19de89ef17e5fe988abc85823
93e390a0b385cbe75e53b89b22f597e9cbb339c33fccebba1a7c1d3a05b48cf9
b0cc713a53943e85ab08b4a9931ccb436cbc6cd9c38d2dbe6495d35d53d3852a
b673ccbb584d0c5bc0f052883d2235b6eec5a68cb7c8c78c3b6faf6be863de3d
deac8ad34ff6f59a3ccdb8161f7aff94cdb9780d74201f77142c34bccf0fcd18
+ 1'948 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221012-r5vm5sgaa2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Uses the VBS compiler for execution
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7062e95f-afc6-4a6b-8850-5b59b37271b7
Unpacked files
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/23b540db-681d-4ae8-b432-fc58a5495c1b/
SH256 hash:
af7ac1171b44c9a949ad80bfaf05095048d0b74cfb527f66479e22f47d340110
MD5 hash:
f696dc0e00cb8f70799ac3fcaa5f9f6a
SHA1 hash:
cde2283de5b89639ea52f6388feef8f77efc63ce
Link:
https://www.unpac.me/results/23b540db-681d-4ae8-b432-fc58a5495c1b/
SH256 hash:
a371765dedd33379dae17a85182af926eefbac02190fcd99c9d61d26cc695d97
MD5 hash:
0ac80331759a6608f6095a3cf16ca51b
SHA1 hash:
17374ed90f01f8240c49744c01b3db9fb13e7174
Link:
https://www.unpac.me/results/23b540db-681d-4ae8-b432-fc58a5495c1b/
SH256 hash:
ad9ce2c06fa6d4d7aec28f88efb62d16f29904de627eb08f10023803365c0327
MD5 hash:
3a674e970ad5a7b77bb1465d4a858be3
SHA1 hash:
5dc7c6a4a29d519d68f69dc9e5f1b131ebbc0e49
Link:
https://www.unpac.me/results/23b540db-681d-4ae8-b432-fc58a5495c1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/ad9ce2c06fa6d4d7aec28f88efb62d16f29904de627eb08f10023803365c0327

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/319421/
  
URLhaus
https://urlhaus.abuse.ch/url/2366102/

Comments