MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15
SHA3-384 hash: 4e861d37a97043907b1e55a7ac2a009ba3acd9f8a591cd6d14106f842ca71c20e3406c1484b2a7addedb68092a102d33
SHA1 hash: 88f76d25ab755db54c87b5cd81fce9c52011ee82
MD5 hash: 1b80879e9f06f4338b53ad124979700e
humanhash: mike-neptune-mississippi-artist
File name:FleetAgentFull.exe
Download: download sample
File size:23'552 bytes
First seen:2025-12-06 17:28:53 UTC
Last seen:2025-12-06 20:23:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep 384:7PQ5VkTbkdS8SFAULq0/AfvH9lq3/ZwneYRSFSe+5FnPMe2eOpOONQWcxYW:7PFTb2uF3O0/OH9w3YRSFMcOB
TLSH T184B20804B7E88758F1BE0FBDB873422455B2F9970936D79D1CC9609E1EB27C49A01BB2
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter juroots
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
69
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
PostExploitTool
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a79b8faa-dda2-4dfd-8733-21d770bb0a59/
Malware family:
n/a
ID:
1
File name:
FleetAgentFull.exe
Verdict:
Malicious activity
Analysis date:
2025-12-06 17:31:55 UTC
Tags:
websocket auto-startup auto-reg
Link:
https://app.any.run/tasks/5b8494ec-47e2-4f74-a6e5-3eb820bc89fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42759/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.91825378.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69346807920336450abc0531
Tags:
autorun dropper virus micro
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-06T15:34:00Z UTC
Last seen:
2025-12-07T01:41:00Z UTC
Hits:
~100
Detections:
VHO:Trojan.Win32.Agent.gen HEUR:Trojan.MSIL.Agent.gen Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/826de396-d345-4b4f-8815-d16a624d398e
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.29 Win 32 Exe x86
Link:
https://app.malva.re/file/1b80879e9f06f4338b53ad124979700e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Malware.Heuristic
Link:
https://tip.neiki.dev/file/9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2025-12-06 14:44:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tr477unkequ6mbseeuwa6qppoi4nugulw6a4mdtc2aq2jnzexmkq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/251206-v2rc4axnaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2b7f25e6-6efd-4029-93f5-3150edab9fb3
Unpacked files
SH256 hash:
9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15
MD5 hash:
1b80879e9f06f4338b53ad124979700e
SHA1 hash:
88f76d25ab755db54c87b5cd81fce9c52011ee82
Link:
https://www.unpac.me/results/0a6b62a6-a58d-467a-a249-39587d91dbc3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9c79ffd1aa2429e60644252c0f41ef7238da1a8bb781c60e62d021a4b724bb15

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/42759/
  
URLhaus
https://urlhaus.abuse.ch/url/3727757/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3727794/

Comments