MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 00ca71f0e19dff6f76f89b3fbc7189d9fe7f77ce66dcbcfb189a5f98220d1fcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 10
| SHA256 hash: | 00ca71f0e19dff6f76f89b3fbc7189d9fe7f77ce66dcbcfb189a5f98220d1fcb |
|---|---|
| SHA3-384 hash: | 68ee156fd4cc79e2ac6fc728388e8cc04fa8830be74e16c15765af34f3d8842a0eb567c3aa5218d2a528773733f27bb6 |
| SHA1 hash: | 82ba76c76ee5f123cf72cf589451d87cbc529b95 |
| MD5 hash: | 2d5c7bdee302fe8cc7a5f06b79bfdf03 |
| humanhash: | oregon-quiet-sierra-sad |
| File name: | RFQ#1952022(BOQ-IT-Equipment.pdf.exe |
| Download: | download sample |
| File size: | 1'756'160 bytes |
| First seen: | 2022-05-04 15:33:33 UTC |
| Last seen: | 2022-05-05 06:16:05 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger) |
| ssdeep | 49152:6urGMSfavY0wLsVp1FaaIIaKTD30v7vI:6urbSivYUxFaahTDEv7v |
| Threatray | 1'082 similar samples on MalwareBazaar |
| TLSH | T1848523147207DA67D3692375A6D2129003B5AE5EA016D1DB3FD523CAA2A3FF61EC0F43 |
| TrID | 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) |
| Reporter |  cocaman |
| Tags: | exe RFQ |
Intelligence
File Origin
# of uploads :
12
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#1952022(BOQ-IT-Equipment.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-05-04 15:43:49 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Clean
Maliciousness:
Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control.exe fareit obfuscated packed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-05-04 02:55:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 41 (56.10%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 1'072 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2f7a005b9b83aec6dd19e6b53530745d9fdff0590ffca0a8ed8047dc11b3c335
MD5 hash:
927c0ce36865c9f2704cbe8c81c23e83
SHA1 hash:
cf7a9098ec615cdf62f7ccf127b1c71ed4e97550
SH256 hash:
ebdaf8b3455373f1e214b7e1bc3866e598270123fc05110e6af36f13aad7d53d
MD5 hash:
6c592156ecec344755c200d9bc860454
SHA1 hash:
8287502a10d374ac25e8712b954a24dca0cdd007
SH256 hash:
9fd9ae97b476042abcaae49dee6cb8463b5ccac3a2cdd7df2feb5bbf0d58ca6b
MD5 hash:
7a8fb2af99495ba9b0c3dbdf1cd350c9
SHA1 hash:
330327cf75d808cacf8375c6220b9ad83372f626
SH256 hash:
c57394dcdf14ee5770166280e6c8535e990af404c7649cab7ba6156afe4d7983
MD5 hash:
5693725de20432aff515cacbf202b6c3
SHA1 hash:
e337f47898eeac202b08d859bd8292e4b88747c7
SH256 hash:
a8dcb3bbabfba6e7f22207492f4ff6d8976bb2bee502ce145ff0e8b33d7c42ae
MD5 hash:
4f328caa4aec70994c3f2250ae8702a7
SHA1 hash:
0f8c1b9315a9988adee3320ba77fde0e88e8774f
SH256 hash:
b502f4d70ab931410be740459f755ff47736b6d659486992c634c2b8ed6221f0
MD5 hash:
0d537e3a24a9b9a85f5d3e9b87ab2dbc
SHA1 hash:
dfad86420adea4e049020c9dcc2938d721db7c61
SH256 hash:
53da5323a24904c6022fd3ce15bcbbeab663ac7b42ecc5b9d15cfc1d1aad528c
MD5 hash:
0ce8baf945313bba1937d1b2e3610f64
SHA1 hash:
b0af7395bc2ad426ad2965852440d47510e395e1
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
SH256 hash:
34cb49a2fe123f46e815dcb200d5688cba9a0b9ca1daaf8616b657e87ec59b14
MD5 hash:
25e699a1849a3c3410f1aa8a550c83c3
SHA1 hash:
0e798161957606e8d7e1e72b3526e9c7f97ac7b7
SH256 hash:
1a9959ea7deea1e64492c1e5b541c3e9c4075709d98602a2898eb93df5a5f503
MD5 hash:
eda3785ae32c0aaae694260344b0a195
SHA1 hash:
5433ff01fe2ef26798201c770fdea121bee5b61d
SH256 hash:
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8
MD5 hash:
cf7e259dd0225ae86a29f5952bcb5b4d
SHA1 hash:
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c
SH256 hash:
645b339f8e74b96c421aa876d3d7a56419051024e9ac29c378679b387e6204a8
MD5 hash:
44142d1a1edc973dd0142a910a120380
SHA1 hash:
dc6cd08cb56b4b500d718418f5ba2d68c10890a2
SH256 hash:
a5c50b98d18fc2687a9dee335742a1d0738c3aa21d212af563571336b8e13620
MD5 hash:
2684c88620aba00cbdc13a4aad9dd53c
SHA1 hash:
d3282d6bc451b7522c3056aaa494245ff670636b
SH256 hash:
bf8e7e7376483abee4047d5faffb00c34b0faa6551531c112dc422716eeadd32
MD5 hash:
ce490da769ea596e0ded5e50e2bccf99
SHA1 hash:
4382ebc9e5a7986df2a3bdb7c352d3d55703a4fa
SH256 hash:
00ca71f0e19dff6f76f89b3fbc7189d9fe7f77ce66dcbcfb189a5f98220d1fcb
MD5 hash:
2d5c7bdee302fe8cc7a5f06b79bfdf03
SHA1 hash:
82ba76c76ee5f123cf72cf589451d87cbc529b95
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe 00ca71f0e19dff6f76f89b3fbc7189d9fe7f77ce66dcbcfb189a5f98220d1fcb
(this sample)
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.