MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c1f11ad6848bee69954157b8b05d2e17a1256c9ceea893900ce101cadbd3ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	0c1f11ad6848bee69954157b8b05d2e17a1256c9ceea893900ce101cadbd3ed5
SHA3-384 hash:	f8a32a0c7ee943496d70a2c2ede59157724df5739413cd4e4ab9e73676cd68ad1ec196ce4b204bccc3ac7a4178c035d8
SHA1 hash:	01250ba5bf2882f5b751254000fe56239c225ed1
MD5 hash:	b88355426f40db127c9757445c39b49f
humanhash:	sweet-california-india-echo
File name:	b88355426f40db127c9757445c39b49f.exe
Download:	download sample
File size:	1'897'472 bytes
First seen:	2022-08-28 06:46:38 UTC
Last seen:	2022-08-28 07:45:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:9w7bh6mzqBFyZPKJ6EC7NTemp3GAQGOYaSbbfwhnnZUlJQUe+7yvuapYl:G1zqaA6EvhZYaSXfwt9Ue6yvPpo
Threatray	20 similar samples on MalwareBazaar
TLSH	T19695F8813BD49E16E2BE2F71A0F701511B78E840ABE6DF8E968071F91C017447E697BB
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b88355426f40db127c9757445c39b49f.exe

Verdict:

Malicious activity

Analysis date:

2022-08-28 06:49:42 UTC

Tags:

opendir loader

Link:

https://app.any.run/tasks/0cfa5b49-6295-4503-b040-c303d7a39738

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/301803/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.27706.29248.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %AppData% directory

Sending an HTTP GET request

Unauthorized injection to a recently created process

Creating a file

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware hacktool

Link:

https://www.filescan.io/uploads/630b0f76bd44c22aa283f612/reports/e75a8f31-4b89-4428-aaed-67a158cf4aae/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16b3da00-28dc-4a49-9cc3-9d229fb789e7

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1059168

Signature

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Generic Downloader

Yara detected MSILDownloaderGeneric

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c1f11ad6848bee69954157b8b05d2e17a1256c9ceea893900ce101cadbd3ed5/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-08-28 06:47:14 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bqprdllijc7ongkucv5ywbos4f5bevwjz3visoiazyibzln5h3kq._file

Verdict:

malicious

5a2ebb201e3f9c619ad23b0043136c4aca5849f345733c68b9647d102b52b4ff

5cb3fb5b66cd56f7f3ed2ce5b1f3a02b9b615b7e8c41590ca04289ae692af8d2

8aa5bd6c413e609cebd3bf6a00bab7df51cac1487d9d4fa41ce6b0f167f9ce82

c84397694e1e9273cf3fc9c9801f6ef6a4f206b6d89e4624aea2f073350be2df

d8c2f28a4b492e55b4c7a16868a0d898097dd8f30a5d4acd371df61905fd1984

e1db9a1008368b341ee4cbf519c859e65d16e5fb5ac5f45fa63a58aec07532b8

e4825c5e3d7de5d4bf16efb2ee460a6992fbba375379d8677185636400a26f69

e528e6f67fa76a1a9297544cdcbf8ccbe3e64bc20d919ec3753401fd0405ec5e

+ 10 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220828-hj7k5sdggp/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Downloads MZ/PE file

Unpacked files

SH256 hash:

0c1f11ad6848bee69954157b8b05d2e17a1256c9ceea893900ce101cadbd3ed5

MD5 hash:

b88355426f40db127c9757445c39b49f

SHA1 hash:

01250ba5bf2882f5b751254000fe56239c225ed1

Link:

https://www.unpac.me/results/16676b22-4e40-4cfb-b427-5a6877147439/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/0c1f11ad6848bee69954157b8b05d2e17a1256c9ceea893900ce101cadbd3ed5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 0c1f11ad6848bee69954157b8b05d2e17a1256c9ceea893900ce101cadbd3ed5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2276021/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2281778/

Cape

https://www.capesandbox.com/analysis/301803/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample