MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dba9ab278a6ff48c2119f65e8824b32e1df9d6a9e586828ca3641d34abe3e938. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dba9ab278a6ff48c2119f65e8824b32e1df9d6a9e586828ca3641d34abe3e938
SHA3-384 hash: 1d6ff94fd2eb416e4b606d98dd923f8707c6bfee70a27da38718a809da8bcc992ccbf11d03cd571d372a5bf5962a087c
SHA1 hash: 1c84793eaae4f1534483280337c8a4974e34d78c
MD5 hash: 4710d6f5d3b9c2d612f2589f997fa70b
humanhash: india-october-winner-lemon
File name:RFQ#F44E0741.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:447'488 bytes
First seen:2020-09-15 05:29:14 UTC
Last seen:2020-09-15 07:05:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 6144:8QbGb6t7QSvKpgxBypeR+FrMgQ1bioNKLu/NYnBQd4LkDUB/UC+L:zb46yu2m+mgQ/3KsbDUBsC+
Threatray 97 similar samples on MalwareBazaar
TLSH 18945BF62AD6447FC97A027F157640C0FA7A22C73A824E8DB07F820C1E16ACB576565F
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/60049/
Detection(s):
SecuriteInfo.com.Fareit-FVT4710D6F5D3B9.30552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/466109
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 285467 Sample: RFQ#F44E0741.exe Startdate: 15/09/2020 Architecture: WINDOWS Score: 63 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 3 other signatures 2->38 7 RFQ#F44E0741.exe 1 9 2->7         started        11 pcalua.exe 1 1 2->11         started        13 pcalua.exe 1 2->13         started        15 OpenWith.exe 2->15         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\shshsjsj, PE32 7->24 dropped 26 C:\Users\user\...\shshsjsj:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\...\RFQ#F44E0741.exe.log, ASCII 7->28 dropped 30 2 other files (none is malicious) 7->30 dropped 42 Tries to detect virtualization through RDTSC time measurements 7->42 17 cmd.exe 1 7->17         started        signatures5 process6 process7 19 reg.exe 1 1 17->19         started        22 conhost.exe 17->22         started        signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 19->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dba9ab278a6ff48c2119f65e8824b32e1df9d6a9e586828ca3641d34abe3e938/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-09-15 05:27:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ou2wj4kn72iyiiz6zpiqjftfyo7tvvj4wdifdfdmqotjk7d5e4a._file
Verdict:
unknown
Similar samples:
02343c3fa1176e06ba37758a53edefdeed2200f470dc184cb2d45406f2e16d38
AgentTesla
0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
AgentTesla
0e7ba6c8acc0e3de5a31e050eb287daba683c992e12c4715730ef3ccf3bbf575
AgentTesla
4fd6cfb4c08338e8b3a6ec64118aa6ad90350e865e90365b5b700aa41908b984
AgentTesla
66be42e48ac5cca62e07acb170e1965756f0556ac5ad9a3070c64c6e74a11fa7
AgentTesla
84e0b5e6daeb11cdca531a22315506ee74a14bd6b0ae9c563fde694aa955867a
AgentTesla
9295ce88660ed117b7cfff0886232a51dc6492bf6100738957bf93fabdb74bb8
AgentTesla
99afa20e22dac4e8fd5f536c3fd6c806fa6a9f52a0458c0c1a90fdc3e8a1f3f8
AgentTesla
b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049
AgentTesla
c639621985cf5e13b426c10f605d28767636aabd6ac4e8d16da8ddc2c2bbc356
AgentTesla
+ 87 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/200915-ksc1qpbm5j/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dba9ab278a6ff48c2119f65e8824b32e1df9d6a9e586828ca3641d34abe3e938

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar da62bcbaf979d67943395094d8cd54a2f02041a0edd3822ce83c46f4ca52b2f7

AgentTesla

Executable exe dba9ab278a6ff48c2119f65e8824b32e1df9d6a9e586828ca3641d34abe3e938

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 da62bcbaf979d67943395094d8cd54a2f02041a0edd3822ce83c46f4ca52b2f7
Cape
Cape
https://www.capesandbox.com/analysis/60049/

Comments