MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6c756d3b2667ac43f733489fffd65d440ea62da586eb792877dcaab2074873d
SHA3-384 hash: 6032be47ba3fb381294157350542c26125a6e62377836965b08cc3ebb03dd5516b11ea71e317e34d63c86e3f683f012d
SHA1 hash: 841662e430710b633614c23a467027cd49e7dc82
MD5 hash: 63c27795d4ec81c0ae682d0ce2dc2bc6
humanhash: thirteen-fanta-alabama-lake
File name:apphost3.exe
Download: download sample
File size:2'480'776 bytes
First seen:2020-05-28 12:19:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7617119cde5afea121182e7cd8e56744 (6 x RedLineStealer)
ssdeep 49152:6yo/EwvOi0bZelX9kAx+rca/pEkrCCl2DqD0:6OwWiGelX9/+jpEkf2Dp
Threatray 7 similar samples on MalwareBazaar
TLSH B0B5232AB40DB19ED0C5F13721284BBC7F01696DAFA5A6504399FE0B193F5E6C6324CB
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:Cert google pro
Issuer:Cert google pro
Algorithm:sha1WithRSAEncryption
Valid from:May 27 02:47:12 2020 GMT
Valid to:May 28 02:47:12 2030 GMT
Serial number: 6C60E03ECE980DA54304E4B8EEB4DF61
Thumbprint Algorithm:SHA256
Thumbprint: 40B91311F7D17477D770ADEBB0DEF2E90B1BB70828CE0AE6A7B5C9762F9C48F6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Mpress-7
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nvdkxrd
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 12:52:16 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
12 of 31 (38.71%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
29dbf4847de301b71d7696ac6e1934eea660e3293cf577ee7bd2186479326790
389875d4c35ff8da276f122cb6b4ebd1b1d65ce5da5c05defefaf40c2609dbaf
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
5bfe42139157de0d0c73ccea8bbf24f8368444cfd5bb4b58300d902bbfa48848
6575a80b5fa70f2b72b0c5270e4bf316efbdda166b73267a783ebe8a56f3cd1e
ca9cc4ff6c8597a999bf16b9f64f709b48add9b3ae2a2556cde2a80cdc75fa4e
e9e9a0314ec1302997e3382807436f43a70e0dc2c165aafa6b5b8f3856d04d0d
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-ft3pwjysyx/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
AgentTesla Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments