MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb42fb2487eeee3ad0a36b6dd2b6ff674cb4f130db4ebffbfc6e933e18123c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcb42fb2487eeee3ad0a36b6dd2b6ff674cb4f130db4ebffbfc6e933e18123c0
SHA3-384 hash: 04c6fa29e82fd037cf52f5a898c721ef3e54c478f4e290b43863b32292d1ebb2557da1333437c31eeb58f5ba7ee62e62
SHA1 hash: 1aec7583b7404e79b321ee6844ab6e76d5e2af4d
MD5 hash: 6d62ef994bf72f5ca8fbc72b6ef798af
humanhash: solar-fix-foxtrot-cardinal
File name:new_bank_vbc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:931'840 bytes
First seen:2023-03-21 14:05:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:8OE9GqODR8Kbjf32BaKk3GZRpoqYmZ70fwnRXTIF3kX9kyp/3KrlWGy627OJ:8p90N21RZRpoqY8ueHp/38WG
Threatray 80 similar samples on MalwareBazaar
TLSH T11F1518425EBB5085E8B70F38547B76880B34E963BED5903B3CC9B61A4FFA69360463D1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new_bank_vbc.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 14:08:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cdd7eb28-b858-4550-9629-e535b2cd5b60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6419b9ccc60b3295f52c5a87/reports/03faf696-7ad0-4c2b-b702-ef60efd7e3fb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dcb42fb2487eeee3ad0a36b6dd2b6ff674cb4f130db4ebffbfc6e933e18123c0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1745dad8-f9c1-4250-92dc-70f3cbb22290
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198602
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831503 Sample: new_bank_vbc.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AgentTesla 2->43 45 .NET source code contains potential unpacker 2->45 47 Machine Learning detection for sample 2->47 6 new_bank_vbc.exe 3 2->6         started        10 RMBJLaF.exe 2 2->10         started        12 RMBJLaF.exe 2 2->12         started        process3 file4 21 C:\Users\user\...\new_bank_vbc.exe.log, ASCII 6->21 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 51 May check the online IP address of the machine 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 55 Injects a PE file into a foreign processes 6->55 14 new_bank_vbc.exe 17 5 6->14         started        19 new_bank_vbc.exe 6->19         started        57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 signatures5 process6 dnsIp7 27 api4.ipify.org 104.237.62.211, 443, 49684 WEBNXUS United States 14->27 29 server320.web-hosting.com 198.54.121.225, 25, 49685 NAMECHEAP-NETUS United States 14->29 31 api.ipify.org 14->31 23 C:\Users\user\AppData\Roaming\...\RMBJLaF.exe, PE32 14->23 dropped 25 C:\Users\user\...\RMBJLaF.exe:Zone.Identifier, ASCII 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Tries to harvest and steal browser information (history, passwords, etc) 14->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->39 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dcb42fb2487eeee3ad0a36b6dd2b6ff674cb4f130db4ebffbfc6e933e18123c0/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 08:23:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3s2c7msip3xohlikg23n2k3p6z2mwtytbw2ox757y3uthymbepaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0569738ce15eac35fb934871ffc136a1a73800be88e9c13d96c4bb05b863ee93
AgentTesla
19f2aeff7f118bf524c7af4260ee3f8796e33853e441e5d1b10f0a103923d8a9
AgentTesla
21bdb778fe7e0e778064e676024a2564501496150b2d4c90ca14ae49f17ad448
AgentTesla
23c49d3c46ddb3a5a8eabb6759c3baff956f98efa3c27ac263353125b2856294
AgentTesla
3f9a3906d05707bc7faba452982b42c6f8244b99e906a9009fefdf3209ab83b9
AgentTesla
431d5ac94ffcc12e9ff48e227ba286736ba47a50e6afd8f1ac2d9bf4a1b9fd33
AgentTesla
918057f4d236bf49e9efaceb3c4aaab580baf9960ac45d2fe8d97c5d98111f73
AgentTesla
b7d8fbbf428d72bcf7513bf41bfbf43db9f8f90a86f790b35e439dc1c1ac58e0
AgentTesla
d5387c42e8059092e86b896c525002d61d173b85bdc4047f6fd4923ea90c7695
AgentTesla
fb9ed95a4efb33b9aea91877cd5da9c3d8831f266c643f32da41f4b4fde85022
AgentTesla
+ 70 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230321-reeh8sch5x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/2cf4ea6a-6d18-4583-95e5-91e5fdb5dd34/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
67b10ea3f47b9275f9866af5f7eee470f776c7337786abd721ffd9eb490f6359
MD5 hash:
31c9502193e02bc46d2a176bfcb399d2
SHA1 hash:
8802d6c0aaf1d1d6c033ec3eb04da318d71fd6f9
Link:
https://www.unpac.me/results/2cf4ea6a-6d18-4583-95e5-91e5fdb5dd34/
SH256 hash:
000c0889c2d93807781cb5e2c212d07bd38c6fed9b738530f2515640306b5f44
MD5 hash:
8d369299a047f228593293887092e43d
SHA1 hash:
7e38cd87127c3ea59ddba80f7ddf35fb105a7f6c
Link:
https://www.unpac.me/results/2cf4ea6a-6d18-4583-95e5-91e5fdb5dd34/
SH256 hash:
dace471bfba16421174814402f216ffd6fe59f23b978d2f54734817151f45e26
MD5 hash:
b826ff0cf34c5dbeb3534c512e5c95ec
SHA1 hash:
508a01fc1695f24a63550c6de60c130b028b463b
Link:
https://www.unpac.me/results/2cf4ea6a-6d18-4583-95e5-91e5fdb5dd34/
SH256 hash:
253dc25d7131bf96960bd341d64c5f01a365880c7a587de71b7a0326bd450e00
MD5 hash:
dd26ecfea4063e28eb81dd40d865b6b7
SHA1 hash:
1337a8823c91c9ac8b0a41b64a3140509ab671bc
Link:
https://www.unpac.me/results/2cf4ea6a-6d18-4583-95e5-91e5fdb5dd34/
SH256 hash:
dcb42fb2487eeee3ad0a36b6dd2b6ff674cb4f130db4ebffbfc6e933e18123c0
MD5 hash:
6d62ef994bf72f5ca8fbc72b6ef798af
SHA1 hash:
1aec7583b7404e79b321ee6844ab6e76d5e2af4d
Link:
https://www.unpac.me/results/2cf4ea6a-6d18-4583-95e5-91e5fdb5dd34/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dcb42fb2487e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/dcb42fb2487eeee3ad0a36b6dd2b6ff674cb4f130db4ebffbfc6e933e18123c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments