MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0
SHA3-384 hash:	5b3c4f5db76ed9383b9a5b393ae810300bfafd65681ebef9b58e8333f43c357b73ba56f749f77c7f7f897d285f37c055
SHA1 hash:	e5e1181dd12e4ff7392c0e66c61eed62b6c30c2b
MD5 hash:	0235caa220bf10454f064023f409d75a
humanhash:	utah-golf-pizza-pasta
File name:	Nuovi team di ordini di acquisto.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	707'584 bytes
First seen:	2023-04-29 00:46:56 UTC
Last seen:	2023-05-13 22:54:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:NOFKQpxnueUElFbvxsXxs2egQVtOOBorpJnjGcFxkETC4SJpQo0/uNXPYiSdV018:ip3UElXshsAOBoTh6EdSnnJNXgi713Ri
Threatray	3'281 similar samples on MalwareBazaar
TLSH	T1B6E49C129014C81FFE1ADB70C1B4FFE5A6F4BD73A4E5542223793988EAB9F011E8D169
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	8e173733330f693b (14 x AgentTesla, 4 x Loki, 2 x njrat)
Reporter	JAMESWT_WT
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

469

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Nuovi team di ordini di acquisto.exe

Verdict:

Malicious activity

Analysis date:

2023-04-29 00:49:09 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/78f0d622-74b5-4724-babb-972a048d7e6b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/385625/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Creating a window

Launching the process to change network settings

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/644c6909463eacbc57dad029/reports/56222a06-a985-468e-b08c-ae480ab1d674/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fcb6b7d6-f6fa-486e-a2fe-ff5aa2429001

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1223319

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2023-04-28 11:40:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 35 (51.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zcn7moaeiwsjcj2jdjggrn33zh7yxkny7iawqrxnntbcos3bgpia._file

Verdict:

malicious

Label(s):

formbook

agenttesla

AgentTesla

0b89806418ec582854a24adb93fba607c7f27938f2b653a081aefd1a5e419e4f

AgentTesla

319ed15753e7ce1ff182e1bd2e4900de9c76300f30cb645c01b57324de50face

AgentTesla

3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b

AgentTesla

4f97be86fd94c84a31cd8aa9bdb4310a6d251d0560e23eebb93d84596df72dfd

AgentTesla

c233b5359370a026201a1648489a3f1f91fd11cadb41e87ce45c60ea3a15f8f1

AgentTesla

c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564

AgentTesla

ea2bca0128d9498a9905b3408ceb8edecefbc96891ae4bf4403739d21fc98c52

AgentTesla

f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb

AgentTesla

f0eef09d45e8b0edf907f9fa6f9bd84a33327f62359fef4b92508a413d68c1b3

AgentTesla

+ 3'271 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:cx01 rat spyware stealer trojan

Link:

https://tria.ge/reports/230429-a474eaha87/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

65532eced8f8afb2148aae4fea0cf6764349256c0b5a3a89a6875b6bed2a6a09

MD5 hash:

e979886dd03a38f4ea730b97f421196f

SHA1 hash:

6a0f676c2735a5afaea258ee5ab12b9d5299aba4

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/318c264b-4ba9-4c40-af43-2668dba6a39a/

Parent samples :

c3c4281831f463d7ee622d35ea584b893b99400c0dc7dda327557d48f10ec564
f0eef09d45e8b0edf907f9fa6f9bd84a33327f62359fef4b92508a413d68c1b3
3ff8da989c0463e0eca88964ea38876e1b9e1e3dfe7cbab96297feadff54713b
f0ce6536bd8f80c0ee0ff1a246fd8447514906a38d4d24ec0d373c814180f9fb
319ed15753e7ce1ff182e1bd2e4900de9c76300f30cb645c01b57324de50face
c233b5359370a026201a1648489a3f1f91fd11cadb41e87ce45c60ea3a15f8f1
07ad0c61940072d3f26c6706e550f970c2e3ee59d1b0a519515ebf16e013b11c
c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0
4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e
3b0069e420ccfba9dff2e274d714fe3f62a6b9f3b5630e0fd28a89f579ebadcd
9c0a4fbfc6a9ee19747c3bd56699ad195ef95f65752476a208f7ef7fc2dd27f8
e30d41df0b3384eb57a607989bdfe40191b4e81df96327c1974f6d05a3a3d83f
880b7f96797851986e0dfb579afb707a7529f1adf9cce67efb7534d4003b8aa7

SH256 hash:

af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114

MD5 hash:

b9897ba5e468e516e162fd3790a9ddbc

SHA1 hash:

db264c796e4a36a45af11e8a7bf71cf0dadce0f0

Link:

https://www.unpac.me/results/318c264b-4ba9-4c40-af43-2668dba6a39a/

SH256 hash:

5b994b30ecbe2e8ed431ae9c8cc0d069365bef6ff601001550149b37af624b93

MD5 hash:

2ea2651d8937a613bcba44777f8b0dd6

SHA1 hash:

cd5336dea3fe77eed3bfa14b85a71e8c326663ea

Link:

https://www.unpac.me/results/318c264b-4ba9-4c40-af43-2668dba6a39a/

SH256 hash:

f2402aea0d82743becffcf021a86026731cf653b478f7d417de0ab8a76f9e76a

MD5 hash:

564a9a4df4ed59bec2d32323061c13c4

SHA1 hash:

68f99e393c09d00aa0aaa6dead795263599dd7f8

Link:

https://www.unpac.me/results/318c264b-4ba9-4c40-af43-2668dba6a39a/

SH256 hash:

e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688

MD5 hash:

920a2854e9c183ad2ef7d5543c296d38

SHA1 hash:

2c20da753bdf6f1a46261e2c132dd42f75c94229

Link:

https://www.unpac.me/results/318c264b-4ba9-4c40-af43-2668dba6a39a/

SH256 hash:

c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0

MD5 hash:

0235caa220bf10454f064023f409d75a

SHA1 hash:

e5e1181dd12e4ff7392c0e66c61eed62b6c30c2b

Link:

https://www.unpac.me/results/318c264b-4ba9-4c40-af43-2668dba6a39a/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c89bf6380445/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/c89bf6380445a49127491a4c68b77bc9ff8ba9b8fa016846ed6cc2274b6133d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/385625/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample