MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 3 File information Comments

SHA256 hash:	0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4
SHA3-384 hash:	9a80aeb1331493afc385d65a3c6dba16e40a8e9b77e04ce6a825ccc38ee5c670a95bcace25573c12e6947500fe765d4d
SHA1 hash:	e70e0c4fb6d2f5b3c967014087d5f4a01a08fe8c
MD5 hash:	47d0f09c0bf7e1811bff110ab81321b6
humanhash:	lemon-lamp-jersey-glucose
File name:	Payment Copy (MT103 _171011).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	605'696 bytes
First seen:	2023-10-17 13:35:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:pBLXmsrJM1FQkGi8KnZx48wrUyBwVS1zeHrFGNtiB9bWfh:DLWiMHQkGmnb48KUyBwVgPNELQh
Threatray	90 similar samples on MalwareBazaar
TLSH	T10CD4121173FCEB65DD3E93FB58B2814447F9B11AA1AADB8E1F8520CE490AF5140B921F
TrID	61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.1% (.SCR) Windows screen saver (13097/50/3) 8.9% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	malwarelabnet
Tags:	AgentTesla exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/455349/

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Restart of the analyzed sample

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/652e8dc54a70eb0012f97010/reports/3f620057-b515-4ad9-bbd9-e7e1dcc0ad8e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/742e8cd7-f8b6-45d8-b8cf-a3f5567b4e13

Result

Threat name:

FormBook

Detection:

malicious

Classification:

n/a

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1327302

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2023-10-17 04:01:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=brsqtxqhp77u552urzuc6zzkkfurg3344ryliihs6m4jaiul6csa._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

0b97c43d0eb22c21c8c4be37b6b45a1fd2acc9aa8c2a30012a06c2a0fb23a1f2

AgentTesla

1be417c3be0fcbe972e13bd2d3e4494e08a94bd4f572b361cadae3b88be1cc5b

AgentTesla

21590f5c7b6ac30d1c7dd02ac222e9803694a2d3b8036875e23ba10943c331d2

AgentTesla

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875

AgentTesla

55080fee4ee4ead649f0e1e4f4fed140e91dbe7b372adc0ff110994655d956cf

AgentTesla

9e986879ac645f058d5deb6415cc90f40130a67e3d4263be55dbe1a8ff68ad2d

AgentTesla

a184d2ce3480d7760397c33df9cb2558133468bf0872d9653a44efc2d85142b3

AgentTesla

af3da7cad17a62ffd55dff83580e4f63697bf6e73faec62269c6f6b80fd8516c

AgentTesla

b8e44f4a0d92297c5bb5b217c121f0d032850b38749044face2b0014e789adfb

AgentTesla

+ 80 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:eg02 rat spyware stealer trojan

Link:

https://tria.ge/reports/231017-qv8lkscb5s/

Behaviour

Gathers network information

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

d8cea6959178d5a11c3f2a6adb96be88ff20dbd8574f63192ae707871ee04a2a

MD5 hash:

c2b85011809883903b0826f7615eabfa

SHA1 hash:

dd531edc87f80620d3d07a11b0d8f96d6656738e

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/d815604c-dfa5-4b88-9f78-aea631573e50/

Parent samples :

0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4
f98b2fefbfa54e17d684f60629172f5f160259a6041b671f423eefbf0e51f949
0372bd9c40187e5b4df86dae74c475d5f7b01de4424281dda221a579be971fb8
25e8610d483e74bac4bfc7189060e7fdeed775f6e82cd69b3a36d1a12b4e2af9

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/d815604c-dfa5-4b88-9f78-aea631573e50/

SH256 hash:

068b103533bd50fd32cb8df489bc3a04193174cb4ea556a1ffe852d3cbac112d

MD5 hash:

bce58d976229b466b5b84dd6ae51ffd4

SHA1 hash:

7c4c7d969a7bbdc74447c434dd5d862138e1b260

Link:

https://www.unpac.me/results/d815604c-dfa5-4b88-9f78-aea631573e50/

SH256 hash:

1a8ffa11e031feeca1bd30e81f80e5b14a242b6d487e92e2796236aaa513143f

MD5 hash:

0d36f2d36a13351fcfc9f9848342a299

SHA1 hash:

7bd743441bc091f04d38fb7bd4cd0781dae174b2

Link:

https://www.unpac.me/results/d815604c-dfa5-4b88-9f78-aea631573e50/

SH256 hash:

0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4

MD5 hash:

47d0f09c0bf7e1811bff110ab81321b6

SHA1 hash:

e70e0c4fb6d2f5b3c967014087d5f4a01a08fe8c

Link:

https://www.unpac.me/results/d815604c-dfa5-4b88-9f78-aea631573e50/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0c6509de077f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c6509de077fff4ef7548e682f672a5169136f7ce470b420f2f33890228bf0a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/455349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample