MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
SHA3-384 hash: 6a2cab82aec72a552e9e20a1637e8b3e1f42b2b3e5eebc2b8ab7ffe005c817a1b62dad6ec3dbd87b21178d32ed849b0c
SHA1 hash: 5d63530cf66fd0cf6b5ab6ff9e1a75de9ba5d18f
MD5 hash: 6c5ee96e1491bd3bb7e72392c415dea4
humanhash: alanine-kansas-indigo-colorado
File name:Ziraat Bankasi Swift Mesaji.pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:671'232 bytes
First seen:2024-06-25 05:00:15 UTC
Last seen:2024-06-25 05:33:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:GFBPCBpCNMsDNfE7PaTwMSle9E9f0B9gCzhLAbhejFUv9nAn+p1TNZRwtN9:GFgzSB1E7PwwNeKB0BGKhL9JUvq+p
Threatray 3'203 similar samples on MalwareBazaar
TLSH T131E4128132AEAB2BC67D47F3804C84055BFAB7AE6D95E21DACC391D70DA2F458342D47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe FormBook geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763.exe
Verdict:
No threats detected
Analysis date:
2024-06-25 05:07:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4f5c6b0b-5aeb-41b3-ad38-c4e6b30d69d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.3964.5809.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667a4f128bee61523c5d20e3win10vpnfull_triage
Tags:
Execution Generic Static Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed vbnet
Link:
https://www.filescan.io/uploads/667a4f12ef9fdf64aa6eca3a/reports/65c0b43d-20ef-4b30-a223-6eb53077c3fa/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cf5034bb-02fb-4d2b-beec-918a5a9fe99a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1462135
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses shutdown.exe to shutdown or reboot the system
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1462135 Sample: Ziraat Bankasi Swift Mesaji... Startdate: 25/06/2024 Architecture: WINDOWS Score: 100 37 www.grupoponiente.net 2->37 39 www.fungusbus.com 2->39 41 4 other IPs or domains 2->41 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 11 other signatures 2->51 10 Ziraat Bankasi Swift Mesaji.pdf.exe 4 2->10         started        signatures3 process4 file5 35 Ziraat Bankasi Swift Mesaji.pdf.exe.log, ASCII 10->35 dropped 63 Adds a directory exclusion to Windows Defender 10->63 65 Injects a PE file into a foreign processes 10->65 14 Ziraat Bankasi Swift Mesaji.pdf.exe 10->14         started        17 powershell.exe 23 10->17         started        19 Ziraat Bankasi Swift Mesaji.pdf.exe 10->19         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 21 EKCaqQXWZyCnWaGrEw.exe 14->21 injected 69 Loading BitLocker PowerShell Module 17->69 24 conhost.exe 17->24         started        process9 signatures10 53 Found direct / indirect Syscall (likely to bypass EDR) 21->53 26 shutdown.exe 13 21->26         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 26->55 57 Tries to harvest and steal browser information (history, passwords, etc) 26->57 59 Modifies the context of a thread in another process (thread injection) 26->59 61 3 other signatures 26->61 29 EKCaqQXWZyCnWaGrEw.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 parkingpage.namecheap.com 91.195.240.19, 49718, 80 SEDO-ASDE Germany 29->43 71 Found direct / indirect Syscall (likely to bypass EDR) 29->71 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-06-25 05:01:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bftpqb4l2ip5iuathhxdmw4tawayzfgfj2eav5h24xkg5tvfq5rq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0dc82a04b6db46d96cccd1ac6808018f6c99727d21247132e8758e4cb7a572ca
Formbook
2c63d5c9bece740d05d08aae01b061b9845ebc9c61aaa31417e79b59c454d7be
Formbook
2e462a8c998653e668f36fde72e6dd5911dbdeec6c7dbf4f19cd064b39c184b5
Formbook
a3b66fd528f2728fad40ab4eb46c8f1fba303b2c3ca54088fff6223da96c483d
Formbook
b25e0f52dc61ee0a114de10fd27d6783c6910b8f34616f9ea9ef04fd6649bb3c
Formbook
+ 3'193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240625-fnjzjaveql/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
b833fc900f5087460728be6c03aa55a550dd18f0ff84dd8cf368bdf1350283c2
MD5 hash:
e7065c61d5340dc08c0e3c2c063fd0dd
SHA1 hash:
5fb7c65f2bec634d284366d58c6887d927398dfa
Detections:
win_formbook_g0
Create hunting rule
win_formbook_w0
Create hunting rule
Link:
https://www.unpac.me/results/5c3bca71-a967-49dc-8fc2-59c0c57eddfb/
SH256 hash:
6c930aafb95d521a2f65142afb27527cb07492258b8e520b81388758b4ad066d
MD5 hash:
d50c22df5bc525ae86fbe034324165d1
SHA1 hash:
1427f5d6976f909e69e7655dd12bcf47e2711648
Link:
https://www.unpac.me/results/5c3bca71-a967-49dc-8fc2-59c0c57eddfb/
SH256 hash:
f90c9c1768e95cfeaa4c0c57ef251571f001d4454d0ca80541b55a0d4182aa5e
MD5 hash:
b79e923379b3287e3e8a039e45609660
SHA1 hash:
c94284392ae41168e81b2452033613e651bb355e
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/5c3bca71-a967-49dc-8fc2-59c0c57eddfb/
Parent samples :
6be42d7e8ab6309248ec11a362abd79226faedf4f7b9a110094f303a166b2d93
b89f9ae90e40b950bb2c2205bcb70a42da20d12d6044dea8e4a57c099846f729
0c7a66057004515fbac9276dcdbfb9594afd4316ebe900a9ead8d40f6008078a
df42aed98863b49a6f208ef3181f08ba5014cc3192c3a406dad6def44e4a3c14
11bd38092d7eda3842cd5a5dc3fed362d5a5146ae6228a66b8ac2693e9a81279
07c90d353d736c2a8015e7f1e86d4492d697360132914e1379cff9f0e0385ccc
6c721f64b26bc43ddb3cf84cdc213f3cec242df25c73bbb61ec3615fa7a5ffac
8f4cb88d415e2f69fc68b90950a51cd76edac741b2fb8ad899dd0919fab3d483
eed44dd24a2a323d4bc0cbd07e41a9eac099b9684cb1494eeec4f954a2ecfc65
2c63d5c9bece740d05d08aae01b061b9845ebc9c61aaa31417e79b59c454d7be
32ba21b45f7d4a8ed2f4d8fd0736636d4e70edcc4b956ea4c43fde4de696c0d9
a9b71bd91eac64c98a1519e907789fc4aec0bd6de47f643acf462cd4aff8aa8f
e6857118aea19c18f962e1360848b8061eceeb5a601d5a331589ae8fa412f0e7
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
91a3a97b17a9ca19f8386aa805924d1a553f06b94b13f43c1c936d0be1782ba3
0dc82a04b6db46d96cccd1ac6808018f6c99727d21247132e8758e4cb7a572ca
5ef6dc0f7dc9b434dca80df4d614c4784fcfc693a628b0e43c564570ebaeb402
f85ceead2f82edd03a65480f3debdfd78c1a34427a99a2c50acd80f7a7deadca
115bc334419a209518a0d06220bb12bb5daa2e1ff086eddb23cf9b9191eca203
3de592415d4a458179b6fd30c0711bdc0006628c7d23d93ef223c26c82d50f9c
fab7aee1a03476b0def49395c4bda8d799c2d0302097562fcb95d23dda980633
fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce
281581bfe30a69a5662550433d9d7514254bccb890fa89cd2a77e3601a0b62a4
7f0f2c04a5204bcb0314fe9fdf9a3369e516e19b0ead44c8f1d3319d59010e0d
624bfb4fd94c20dd2c4db18937fe8513ee44081981612c8377fb6363f1cc2942
88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b
f1a7405298874fe0382def7c612ff12d72e7315f5aaa514122200d461717ea44
7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb
19c2d1f233ea3d256026796196e7067af26534ab46874cf4fdbacb7e73e5922a
40898401f5a784cea08158b22b5a17c33791882e6c7c79afcd25690281b73c02
253ae6027d114caeb26331508c9c916b54fe3561faf46679c06c48dad8860cac
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
faf0e3fa2a040e49e3abeb69849e3a25ff621bc8499c70dcceb577ba89bb5929
cd05700b5fa43cd11f8f5763bc9340b8f8ee40cdc64765cb604ab28ee68a1d0f
505ed9f190d5f7a4b16075a09119a9c2952b2d9c7281a13c6a07f4840200e878
712c970fa57cebf6ccbe56758bb5c616f103d08a9a1404bac0b7ae3c08d6edeb
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
e2e3f3315015f5ffc74fa9f868861331fd7afae3b0396fd7911c61aa8606b0ae
a89824df9b88e6da624d0ff53b72685f10eece0d54686d9b8defb4ab9a8e5f9b
58d9c0736d0b202bc82acaedfbce1daf33c8402f58e246e8a78190f445f2c6d6
eebcd1414319130f36bea1e6c8fd29750118b145dae2d094d8a9d6aac0c619ce
140a5535a35a820de41ed7441f1278898247a6adbc2594d8a1f34bd9f4715eb4
b5500a5c920ed8eb3519cf519186ea942f1a459570a2ea0653f33b9bf84089c5
0675bd350929e619eaf3a4f22b68d32ed19e451bb7f8aba8c6e4f242bcb791fd
a5154edc933c692bd6160ce41e1af9d27782f21ba1d25403d1cca7aac25c44a3
e75f8000fdd2081700afa2c137c683bd424d8eca3c5fa928758ba18eeca8f194
1831a7d7cb0309018b48298dee3d789eb6aed6bee466a4ec2cce27db09e458f3
abc5d7e2fe95585f2c118d1e8ed171ea82ec3c76b02353aa5acca13cab13a32c
2ca8a08a83d98fbae1d8683cdb828b64216f9849ee539e09198db53876d419e9
ce51bc85fa9cf4a581de693c5901e0c03fff712c40f723009e393bad1a18d014
40043668b0ad9a66018432d3e9ffe7d0466a6348a8ee6250a606e841e114b270
a745afdd5cb81567de1560ead34145f713b7894058aa2097d755bf5d09b9d34f
3c0b94f379c5c568f8f3d406b22b642d3fae60094f8dffbf2e24c87c8435e0a6
e30e81cc9d2c5e121942bf9bbdb9f1bd164842ab3a380b25a2d7f25c9a358f7d
43ca109175c43c1c619405c79eb8d1b16b077741d87db5715ccdd58de9146bf9
52f624cf9571a843b126ac880b5f9b819774c02b35d564830d0a9117b82ca8ad
def1c893697505de0b722e6fb3e516bad1c37f8e19599920714d29861639c274
269e0464214adee11c3339c18062ab56d83d34e745f2809ff35de0bd1ba62bc2
3b253bddd8e49b0353b44254fdc82c53c1614f5c2d09e2fde95698ad3a7815a0
013e39d10c6ec3d7f91105322804e5ec7d6cff966e44659fc568957f243e67a1
eb07f292e4a46ad121d85bac9bea91ab03ffb795527d7c1c1047e7312ea597c0
d2b5d02ad0207f69484b73eae658c2c08b747b4b3125e8856c5f0df261217f1e
71c91905a377be84dca1c0965d8ef92d7c4cd53c137205699f26582cf8107476
dc74ae7a70778659ee1f27f8e772ab2513299da34c7b2eabb866152e5588720b
7289da5a1cc6d7149e862660a7f3f48db0ef1f6f8e5de991501e72bde1192be9
e9d082e59f131a020a870a416b1fbd2aa978f0706fa690080a268a5295bd8bb2
c0e6cea1456ebc9c970e4cfc70ad112501a744373e25c74ae318e9654f852da5
a23d1f07dfef6b5fda6381ecf6866746d624dbc1e510073d83f431124bf7d556
88fc5d96ebc31042f41c8d80e87a1d6b8c4fabe33f11717dbf417f969604af70
8c3c62aafa4ff3a976150dce366c39675fdeceb96362d9071acfd37959770d66
1ec1d53a8f8b891c32c4102cb194093296172cc21167887a7d28b09b88b8b8c8
8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d
bf8c949142a94cd782ccaa81fdcda4e35b3864a1907c5be0c6665a7eb9b54cd4
d1517990df29e028a1fc4e2da10b0b51820fed7d258ddbd4c92543538e03a5c9
c9e1b0ef9cfac8e4e002a5609c366489564b246f633d0685fead77e46f7f7d61
6a38f9fba4979abf0676bfa91c7d4ee75c583a6e2ad1a4cf71a3e623b7aa8c37
8155b09e9644fbd69c30e5edbc1fa823d9b9cd224dc9dfe4af8b47ad3f1bb756
4d7d64616dd21810a0a128df33c3cc2f7332c67dc9569f1795d55fc4888177b9
7ddcda1e8561e9d96107c717c5cf5ef9a2f3ff3f5f4c1b188b92b010fc779aa2
467803efbe8c9637962cd2141757f7cdd184cc57f46d75fa8b074bd81229a3f1
a4e1544dee96f911479934ecd89b51ead1ee008026a2468f65167e0d76cb459c
6e3f83c2f76db1f32e9243e7899b98655b3e49658463560513d9a315e865add5
a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
d21d0451a7a8b112776118d88154bf7eab2703b13bf6ae1dcaec2f959bf42305
64874958438945a29c66851bb23bcb9483955577e941e156d559885cca4a6910
b6f0586d835acff8c86c02904729023d95b10d879a066a9eeca973deaf582e07
8647436d5b5e93de1fbaf9571e584ceaee4a620cd39b60472da87e694239c317
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe
3c3de54110bc665e6d31e2455372fc489ca5f3be4e0824ca7c0b58802663dbe3
251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87
2f35d828d19942c2daf1989fabb8565c56f9c2d6f3b00e3470c7785ae4ddde50
f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
96c5089380f7452f4695bc517e83cf49f38f5de59e82d8c1142c770545941285
f211a840befa45cad5c369f64b91ff53d0dba7e98835dec3886ded59746e7333
444fb4871f9ee687f90ecf33223c91bbf263a7d66f1c665d653ce71559c557bf
8f9dbdd77e130b7238761966a9c9aa8712baf2100ddebc3d9d206ee17f8f119c
33f7683c768daecbad44d0b27d44ff13be3340d1cb81fb59dbfd7558cca21797
a2f6bbeb5c2756cfd0a71196e98f0b4f71e58101b3e39342015aad98d70d0f31
6232ba2d8c8ca87c37818660014882d4d0536d7296e08f2c37ba1c692b901f66
c42f31c68ee4a14aec74ddce249314d00813289dc36740484b09ceadf72aa0f8
6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c
0464da926fb18f221087c3d88c51b18b81d5776e559fbf9b76d8e1301c95a8b9
a5a3067e6a3c4e957152655df5c68ce4db77f8308feff43c53e7535031033be5
c08ff513ad0787ed08c72bbdcda0d166e603ea0736f5687b3dddc0f4bb87da33
0f1032dd6e6e984bd0e31d1edb45e027b12d0ec1976505dd6a4d1dd2351931ac
86329825eaf86f08f84bfc3ddd8870b5c05f47a43aba3695eea5ca4c7a0ee00b
c09cba9da1f8a6c8fbda87ce1c29455118eb13876286388a7d768ba98585aa78
26c199fee4db63767ab6a7ca3b251ebaa3d8d08150d1aebef56546bdb5ea395a
80b9b09d79c390fb55a56fcd01f0189e85e8cd8272befb7f35ba2a19ff9ae30b
5aac87d916d8ec903c67280fdff17ce94064c80e0717d7e102d31aa26aa003a9
67bf84d91a5494478d5910d58170c72f85c7d778d755d003b94344a691837209
5327a0f0689f136883119147b37ea30c8d917caac1135909d4b256566180b04b
f87529bd57f54630ff4e0a8391d2e02bd04df4b83ec7c2b879dc258f81103978
21d5d8b254df4c982f0d5e2289dedce8859f154b494a7a560834c6ff341028ea
09f80e5b22639c198be1ef13793c7a0ade764ed89b20a0f09ab0830f3d77eaef
be03b9620b1ae59e5a19f50ee5526a7b9bb4174e09a79cd82a5cf108ecdfd4e1
699af4e8e4d2f3b3ab73268c846f4013f677bc183b9c561279f88c0239972b9b
cb5c22f0aa405129ace6079f8dea8ac27fe89377db7adfffa3c539b59990d6be
6bddff781a97f7479e290a3fb3f34c681f98af9af4ab5dbfb14006bb63223522
018b23732bcac6e2ccc7d8130259b5085d10dafdac74737e1456b5f38ee2c81e
SH256 hash:
f470db1c5324e075b48928da375faa141afb8bebac417705f923f49e1309ef46
MD5 hash:
8d34eb73a0c05b933eebdb2b6bdd688d
SHA1 hash:
2a720a845af3aff0155a41847604205a23363973
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/5c3bca71-a967-49dc-8fc2-59c0c57eddfb/
Parent samples :
e6857118aea19c18f962e1360848b8061eceeb5a601d5a331589ae8fa412f0e7
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
91a3a97b17a9ca19f8386aa805924d1a553f06b94b13f43c1c936d0be1782ba3
0dc82a04b6db46d96cccd1ac6808018f6c99727d21247132e8758e4cb7a572ca
115bc334419a209518a0d06220bb12bb5daa2e1ff086eddb23cf9b9191eca203
fab7aee1a03476b0def49395c4bda8d799c2d0302097562fcb95d23dda980633
fd05577096a8cf7e8a3955da0412f698199b9d2f53bea732351b7f2eb18819ce
624bfb4fd94c20dd2c4db18937fe8513ee44081981612c8377fb6363f1cc2942
SH256 hash:
48fb29b886993e30de37f7b15b75f73240ea8950c595dc34e2390241378db95b
MD5 hash:
9e4f1b59282341d1fcbbe6fed49e5879
SHA1 hash:
062b237e76d19a442ea7054aadfc16c230882c97
Link:
https://www.unpac.me/results/5c3bca71-a967-49dc-8fc2-59c0c57eddfb/
SH256 hash:
0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763
MD5 hash:
6c5ee96e1491bd3bb7e72392c415dea4
SHA1 hash:
5d63530cf66fd0cf6b5ab6ff9e1a75de9ba5d18f
Link:
https://www.unpac.me/results/5c3bca71-a967-49dc-8fc2-59c0c57eddfb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0966f8078bd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0966f8078bd21fd4501339ee365b9305818c94c54e880af4fae5d46ecea58763

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments