MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Floxif


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163
SHA3-384 hash: a6821bcb63fa559ef901b42118026208c543028724e34c80b1872beefe90cba74b9c30a763c105f8b5712537f398afb4
SHA1 hash: 08016aa5843e206cc757a03b1b9f1eb555b71fce
MD5 hash: 190891c13990b5c20562239adbd15415
humanhash: november-virginia-twelve-saturn
File name:Req#422722.exe
Download: download sample
Signature Floxif
Create hunting rule
File size:834'560 bytes
First seen:2021-04-06 08:17:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:YC6pOC4ZvPE6L/hNPwjVOwAT5LdSzDEzi/sodir/wwM3FP6Zzrfi1Bxm7zxHecX9:Yxp+JPE6VBqetdWDAgdiwwoOLi1H0xz
Threatray 44 similar samples on MalwareBazaar
TLSH C905E022279CDFB5E67EDB7D5424100043F1F707E326EA5E7DE650CD0AAAB458A62B03
Reporter abuse_ch
Tags:exe Floxif


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: relay-bulk2.stackmail.com
Sending IP: 185.151.28.79
From: Sharon Namayanja<jamshed@dreamnw.com>
Reply-To: Sharon Namayanja<xyris.choii@gmail.com>
Subject: RE: QUOTE
Attachment: Req422722.r00 (contains "Req#422722.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Req#422722.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 08:52:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5c71c692-946e-4c0b-9a13-f178bf6dba9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132621/
Detection(s):
SecuriteInfo.com.Variant.Bulz.421101.14465.17675.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667357
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-05 23:45:20 UTC
AV detection:
9 of 48 (18.75%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ys6tlcvj4fmuritrgve7ccpwkesolei256tqt2jb3ieuvlawufrq._file
Verdict:
suspicious
Similar samples:
0726eef18a27b6e019baa87d12d004efc1e0fb42169acedb5a56fee6d39d8946
Floxif
1cf2c4b90a84ce31c99a4b74ed546b17b2332a868f75293f237ea0bb0a5835c4
Floxif
2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
Floxif
4b9c39b0624ed5da7d8ffeb5b8de89562a0ba2db40e4899160fdd1e51efa63ea
Floxif
52055c63e2a063c0d4489918ff3bc7e63c9ff94bb56ad95003d8594d01bb81d2
Floxif
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
Floxif
5501a072a478f1b6c6045154d4b3e5c102c5da98041f503d80b8a2b50bb6b85b
Floxif
5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008
Floxif
69b433882a0be8350987589222a1b677cb948d1efea4e523b878a778bad33d4a
Floxif
b2ae47f62aa239fb6badfb8af83054c008e9c93d6fe1953732ec03029dc474ce
Floxif
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210406-km5k914v6e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/bdeca4dd-ed1e-44ef-84f8-91ab371744c1/
SH256 hash:
c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163
MD5 hash:
190891c13990b5c20562239adbd15415
SHA1 hash:
08016aa5843e206cc757a03b1b9f1eb555b71fce
Link:
https://www.unpac.me/results/bdeca4dd-ed1e-44ef-84f8-91ab371744c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:MAL_Neshta_Mar20_1
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_neshta_g0
Create hunting rule
Author:gpalazolo
Description:This rule identifies Neshta Malware.
Reference:https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Floxif

zip da896b9f2e7fdecccd952548ebb724582b7eb197365c454af6f282eec110f847

Floxif

Executable exe c4bd358aa9e15948a2713549f109f65124e5911aefa709e921da094aac16a163

(this sample)

  
Dropped by
MD5 67ab3639b2a1d96f583d4d5cede49cb1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132621/
  
Dropped by
SHA256 da896b9f2e7fdecccd952548ebb724582b7eb197365c454af6f282eec110f847

Comments