MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43968601f98cd42a24d489a70e1f6e8922326fd82948c7744b44dfbfb4d79803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43968601f98cd42a24d489a70e1f6e8922326fd82948c7744b44dfbfb4d79803
SHA3-384 hash: 8ef1fec624f456ccd4012efdb230fc09e348a384df6701119bdf08b30a68b75a9dffacc27bd20f0848606e4b0a55f97e
SHA1 hash: 939ada9eae1b3bdddb19fb5bd8c4718034fab025
MD5 hash: 483ea891bf8558260e66b43bddde35b0
humanhash: tango-cola-lake-nebraska
File name:Request Quotation.exe
Download: download sample
File size:456'192 bytes
First seen:2022-07-06 05:52:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:OQ2iNZEn27lG1ZJl0wRw57OFFPnh8Dlt:j1vjQJlxK4nh
Threatray 3'498 similar samples on MalwareBazaar
TLSH T195A41226B3B36368DA3612F58064827007F27E66D1B0D72F1ECD31BF7868359465A29F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c5233f76fa5a599446c625/reports/aec57da0-7000-406a-99ca-d0918a43d9ca/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/98acd47a-25f3-42d8-8d13-341b0f3ea11b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1025338
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 657833 Sample: Request Quotation.exe Startdate: 06/07/2022 Architecture: WINDOWS Score: 68 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected AntiVM3 2->21 23 Machine Learning detection for sample 2->23 25 2 other signatures 2->25 6 Request Quotation.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\Request Quotation.exe.log, ASCII 6->17 dropped 9 Request Quotation.exe 6->9         started        11 Request Quotation.exe 6->11         started        13 Request Quotation.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43968601f98cd42a24d489a70e1f6e8922326fd82948c7744b44dfbfb4d79803/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-06 03:07:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iolimapzrtkcujgurgtq4h3orerde36yffemo5clitp37ngxtabq._file
Verdict:
unknown
Similar samples:
1e6f5352bb12ba7c2f9cba16e628eecd4cfe8e7f14a3b552f9be7b7b54afcd35
23c4426e903f6582e520db422c88f2c9d9625a03c9c5afc5851ef858185fba7d
35ddf428695769bb87459e0848cfae7eb62a86c91c8bb33a2caa23c5fbc43b73
482886d356a4f90c7a0a509046c745a2a989e543d1b6ac224f9bdcb1374b73c0
8baeeee73a8db725469f13574a4b9a3c23aa5b3915b62d33b55454defedd7b06
94ba7a7fa6062f91a963dec2f064bc9803a08dc513ca9e528000f6fe5d46c4d0
a9aa59bed8eb3e4839b215c072549c359c3867b238e65c4bf98a5f274d2808bb
c24fe8f2829486059e49a179960a0ea6414ed4ef3af24a2597a9ce720b81bc43
d9a34a1c34cdb62ed77d841f76d9e38e613134f06b7b32e309acefdb8df768fe
fd3c1514a7c69a0632bce2a5e0ee36c2bfc450cebc898c0e2dd022bf833ca38c
+ 3'488 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220706-glathsbde4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
bcf0d54f4b7f3cafc341bb7b0705e1ac8a7ea9548674288fa291626809263395
MD5 hash:
161a9c0b52f7ec4af4147a051b9e03f5
SHA1 hash:
dc2408a4163c956dcbb86f7a79c5a815643cbdfb
Link:
https://www.unpac.me/results/af8893c5-52f8-4b6d-8953-f25f9dbab806/
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
Link:
https://www.unpac.me/results/af8893c5-52f8-4b6d-8953-f25f9dbab806/
SH256 hash:
764cba29365d10a047e1c9504bb11b5b6a6c80caaf2e88fe71a36873b98de96a
MD5 hash:
fcc4eb0ea6de241430344c209f4ef0ac
SHA1 hash:
5bc44e8f9cb3a5b103620eb58019525b771868cf
Link:
https://www.unpac.me/results/af8893c5-52f8-4b6d-8953-f25f9dbab806/
SH256 hash:
c91c81ad070e14c23f315350bd06a505efad6ea156c7fec1360330c91358278d
MD5 hash:
cb1d0e97a149b75ff5f45bd0612f2235
SHA1 hash:
151dd0e9792935e0d5e8a296db948259c6f441be
Link:
https://www.unpac.me/results/af8893c5-52f8-4b6d-8953-f25f9dbab806/
SH256 hash:
43968601f98cd42a24d489a70e1f6e8922326fd82948c7744b44dfbfb4d79803
MD5 hash:
483ea891bf8558260e66b43bddde35b0
SHA1 hash:
939ada9eae1b3bdddb19fb5bd8c4718034fab025
Link:
https://www.unpac.me/results/af8893c5-52f8-4b6d-8953-f25f9dbab806/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43968601f98cd42a24d489a70e1f6e8922326fd82948c7744b44dfbfb4d79803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 43968601f98cd42a24d489a70e1f6e8922326fd82948c7744b44dfbfb4d79803

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments