MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5
SHA3-384 hash: 9316ab8362f3fab5e8e355da76a37cc753ade9d8bb416e4f16a1d87dff4a61f1f643f20ffa731f5f910c135abeb0986d
SHA1 hash: 9e613005402d2b5c0fdc5f6af89ec7962b9b0f49
MD5 hash: 1c6a914b6740dfa59f31b05c4a073d84
humanhash: kitten-echo-freddie-spaghetti
File name:PAY SLIP-21807.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'561'264 bytes
First seen:2023-12-19 13:48:35 UTC
Last seen:2023-12-19 15:17:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (384 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep 49152:+rCbFjHcvs9eZH2zPnkDg2ZI9FSdV7KczqM4b6FRATklR3I3FjPgfo:E4HcvwDYWSLmcWpbaRATk/41cfo
Threatray 4'047 similar samples on MalwareBazaar
TLSH T1E8C5332D660CCD2ED5D0C6BC2B96D7DAADF8F82889F849D4230D763ED87420356DE192
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter malwarelabnet
Tags:AgentTesla exe FormBook signed

Code Signing Certificate

Organisation:Outplay
Issuer:Outplay
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-18T11:32:23Z
Valid to:2026-02-17T11:32:23Z
Serial number: 51e892218969180aa8aa3618b9fd4abc23eb9439
Thumbprint Algorithm:SHA256
Thumbprint: eca284c652bad00df2e2c17992a32db026c1d2736e062e897e7baa1a4bd81e60
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
CA CA
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468494/
Detection(s):
SecuriteInfo.com.FileRepMalware.21653.18566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a process from a recently created file
Launching a process
Searching for the window
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65819f54b290743934e8adeb/reports/6c6b2cc0-e8e9-4dce-84f5-cec317232e77/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/341c303d-8819-4b4f-9a12-bd4aea9979e3
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1364538
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364538 Sample: PAY_SLIP-21807.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 27 server1.sqsendy.shop 2->27 29 schleswig-flensburg.freifunk.net 2->29 31 3 other IPs or domains 2->31 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 7 other signatures 2->49 9 PAY_SLIP-21807.exe 19 72 2->9         started        signatures3 process4 file5 25 C:\Users\user\AppData\...behaviorgraphrankogler.Bus, ASCII 9->25 dropped 59 Suspicious powershell command line found 9->59 13 powershell.exe 12 9->13         started        signatures6 process7 signatures8 61 Suspicious powershell command line found 13->61 63 Obfuscated command line found 13->63 65 Very long command line found 13->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 13->67 16 powershell.exe 13 13->16         started        19 conhost.exe 13->19         started        process9 signatures10 39 Writes to foreign memory regions 16->39 41 Maps a DLL or memory area into another process 16->41 21 MSBuild.exe 15 8 16->21         started        process11 dnsIp12 33 server1.sqsendy.shop 63.250.35.178, 49718, 49719, 587 NAMECHEAP-NETUS United States 21->33 35 api4.ipify.org 104.237.62.212, 443, 49716 WEBNXUS United States 21->35 37 2 other IPs or domains 21->37 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->55 57 4 other signatures 21->57 signatures13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-19 00:54:47 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
12 of 23 (52.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vju2jxjsaozuwsq57xztjoulmvlwr5xgyrqwlievjf5ukirfqc2q._file
Verdict:
malicious
Label(s):
agenttesla_v4
Create hunting rule
agenttesla
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
0f38e9bb118683c47ed9ac3b745683a8b66b9386ab0ac538e7b52dc5ce7b0130
Formbook
56cfd7df1800b2c751e56c983a8e33c39b3e2c8d34368c6fa51582f306f2eff9
Formbook
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220a
Formbook
e50d396fce14d5c6f58251adb5967d37862e8f2931d760ea76557e45086c30bf
Formbook
f5d898d55049c43482c1f3621d7038f6337c42956ba73d1adb6e438676088ee0
Formbook
+ 4'037 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231219-q4nmrsbaf2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Unpacked files
SH256 hash:
aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5
MD5 hash:
1c6a914b6740dfa59f31b05c4a073d84
SHA1 hash:
9e613005402d2b5c0fdc5f6af89ec7962b9b0f49
Link:
https://www.unpac.me/results/844c7448-5750-4cc1-a634-820d6338bc25/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aa69a4dd3203/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa69a4dd3203b34b4a1dfdf334ba8b655768f6e6c46165a095497b45222580b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/468494/

Comments