MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a
SHA3-384 hash: 2987ec6e10a5cab1d38e6a6af40e87f8b38c9ff119e99b581d5d6c1157a74835e58c0d6f471f78bd3c81fdaf1949e4ed
SHA1 hash: 487a3a3e17b659d143dc48fb81d9c1860f2599e5
MD5 hash: 1a0eb064e5ce3f0f888ea48aadd7c6ab
humanhash: asparagus-ack-lactose-burger
File name:doc201002124110300200.exe
Download: download sample
File size:410'624 bytes
First seen:2021-11-24 12:16:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:CPMoogAgkXrw5xRI0FLa37O74Scp8rjG4Bgp/:CPFkXrwnRIW4OsSc8/LBi
Threatray 835 similar samples on MalwareBazaar
TLSH T1FA94F11035E5E282C9770FB64D7120804272E2556E12DFCF6CC4578D6DA7FEA8722BA7
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc201002124110300200.exe
Verdict:
Malicious activity
Analysis date:
2021-11-24 12:18:22 UTC
Tags:
loader
Link:
https://app.any.run/tasks/1c5edaa1-cfd0-4b6e-ab37-7e07e3d18021

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619e2d06b71ceed4152e768c/reports/679b8b8a-3d20-43a4-b850-154b51d8ec62/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e22aae9-c0cc-4ea2-9a71-d6fde78113cb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895328
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Certutil Command
Sigma detected: Suspicius Add Task From User AppData Temp
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527806 Sample: doc201002124110300200.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 42 oshi.at 2->42 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus detection for URL or domain 2->50 52 Antivirus detection for dropped file 2->52 54 8 other signatures 2->54 9 doc201002124110300200.exe 7 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\dqeTEAdmdBXbBD.exe, PE32 9->32 dropped 34 C:\...\dqeTEAdmdBXbBD.exe:Zone.Identifier, ASCII 9->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF77A.tmp, XML 9->36 dropped 38 C:\Users\...\doc201002124110300200.exe.log, ASCII 9->38 dropped 56 Uses schtasks.exe or at.exe to add and modify task schedules 9->56 58 Adds a directory exclusion to Windows Defender 9->58 13 doc201002124110300200.exe 8 9->13         started        16 powershell.exe 25 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 file8 40 C:\Users\user\AppData\Local\Temp\...\A790.bat, ASCII 13->40 dropped 20 cmd.exe 2 13->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        process9 process10 26 certutil.exe 3 1 20->26         started        30 conhost.exe 20->30         started        dnsIp11 44 oshi.at 51.68.141.111, 443, 49752, 49818 OVHFR France 26->44 46 192.168.2.1 unknown unknown 26->46 60 System process connects to network (likely due to code injection or exploit) 26->60 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-24 12:16:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hpxa65lb7aeu6grcmosoopvjq2ra46r3lae5jyak4zwr7vv2gfa._file
Verdict:
malicious
Similar samples:
1f79ce7d7716512af2a93caf014f302846d5f41ff9850af71120c7fed2bf5845
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
605412b4ceaf25fc66306e96a347662161925ba372383ad39a28703d4ef65caa
6b664d6b89eabbac55c8927fa29d2669ba629a40f1abbf12d76f8d9b14e4facb
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3
f68cf2d7540359cd27bae6aaa15274efd2444f148e1632a9d4bf90facfe5c927
+ 825 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211124-pfgnwafgd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Downloads MZ/PE file
Unpacked files
SH256 hash:
302ac54c94e8bdb12b7fdaeef76e2b936e0294ea5b1ced38c6da51ef50c3067e
MD5 hash:
d1a58ca8f82c480763bfa3205e80b770
SHA1 hash:
7b23287d165b2dae07ead2625bd4e1e525d27a1b
Link:
https://www.unpac.me/results/5fe63c83-9488-424e-a751-ddca87ec4726/
SH256 hash:
42ee5974707b790a90247f9e283c0a52b8c1f01e11b6f516fef6fdc9d11c18b6
MD5 hash:
95fb5bb40e2b0b135fa951878c958c10
SHA1 hash:
5829a1b6b06b689c57b51ecdfd7696ce5f849d8c
Link:
https://www.unpac.me/results/5fe63c83-9488-424e-a751-ddca87ec4726/
SH256 hash:
c5dd28e9e62d30749a4724adfa7fd9b75f30e8baa9f6bec51e2d23d9ff42788c
MD5 hash:
173505812b06cf2316c4d38b54278c91
SHA1 hash:
4737d05f1c62be85f55c878f84597187f6eb3a58
Link:
https://www.unpac.me/results/5fe63c83-9488-424e-a751-ddca87ec4726/
SH256 hash:
f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a
MD5 hash:
1a0eb064e5ce3f0f888ea48aadd7c6ab
SHA1 hash:
487a3a3e17b659d143dc48fb81d9c1860f2599e5
Link:
https://www.unpac.me/results/5fe63c83-9488-424e-a751-ddca87ec4726/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/208929/

Comments