MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a2c8e5da73bd931f2475bad35f0b46b01f35e5c39b1d8221cec8bb478bc1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1a2c8e5da73bd931f2475bad35f0b46b01f35e5c39b1d8221cec8bb478bc1ef
SHA3-384 hash: cd91b3d6fee80e824900be2674fd116c7d396cd3f373d247b1ea0ef89cdb1ccfd62f724f53bca7ac9aea378f3ebd4d01
SHA1 hash: fa1569a3ffe58c0958fd80bbb95c42bb9031727c
MD5 hash: 031727acc690d345a50ea8c0bd1d5942
humanhash: wolfram-double-red-low
File name:我司已匯$23856 (Our remitted $ 23856).exe
Download: download sample
File size:1'120'256 bytes
First seen:2022-11-01 15:58:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:s1kEY/U6WMtwz2JCvuxnZU797Hf2KdYg:s81twz2JWuxny7FP
Threatray 2'175 similar samples on MalwareBazaar
TLSH T13535E13207A6970FD55752348DD2C3B0AFE89DB5A2B2C6434FD8BD2FF64B4B6A610184
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
我司已匯$23856 (Our remitted $ 23856).exe
Verdict:
No threats detected
Analysis date:
2022-11-01 16:01:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f156bfb-0d49-439a-bd10-dcce23945359

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326846/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636142479b2225917c1c5522/reports/dce87d3d-1e41-4400-9cb2-e1edbc64ef08/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1af6a5d3-748e-4f55-bf78-3f1d3633a0d4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1102624
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1a2c8e5da73bd931f2475bad35f0b46b01f35e5c39b1d8221cec8bb478bc1ef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-01 03:33:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
16 of 25 (64.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6grmrzo2oo6zghzeow5ngxyli2yb6npfyonr3arbz3elwr4lyhxq._file
Verdict:
malicious
Similar samples:
04cb7f26c4b9788f2271c0a08c5c867f3a52a2079a744522b6a8027b5a53f4d0
1d471d4c679e7c68369a2824adb475071d80878c73de43bce4635a410b4d3d17
23d6c5ae66bbc3153fc98ec29794f7b0db73802bad923004a783084e3b3ad3e3
527f17988c3928873c376e684ed6790196cc1f0bf9b76346f5f645a0aa7441ac
640e1f98387d8184a8b69457da56206b24c7893b5568fa2c8d7cf6ce65f016ba
675031e66f09b7272a97ee19171d82d6f33e818f2b76164805759ac1177e7f31
7227c4e532a21d2e1a830b8e078bfd8ea886b7cddc6a1cdb6f17e1bc7125507f
757d201efcd23832275a776938bee5e4af405666bde0876172c730faff12832f
827cc8f0e2f93edac3895ba6897e4768d6c3663b0b64c80988129065295d31e5
c9089b729c04a9c07067163df4e244a66e9ecf8122510f5d93aa9f2c1142039a
+ 2'165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221101-te21mseahl/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/03d40f84-2d62-4578-a4e9-dd28668e145d
Unpacked files
SH256 hash:
7fa3720c44b7b46ea0f1d0e9aa6b164e196ee0f8d7c79bcd282f5b86cd41c7bd
MD5 hash:
210cf57aa172b201b77e52b991801662
SHA1 hash:
4556fe5ddde7b9706ae33ad40c56fe0f269c8b77
Link:
https://www.unpac.me/results/99b85a7d-730d-4f29-af71-69c1e0c931b3/
SH256 hash:
744928a56b4d36f17e73eea0534c5e99103d1553d5b0a864a6fd9d4f9899b47f
MD5 hash:
91fed5db1afcdf48e0cd6d4058a013ba
SHA1 hash:
3717b3346e25d3f66f00626ad1a771d8655f485f
Link:
https://www.unpac.me/results/99b85a7d-730d-4f29-af71-69c1e0c931b3/
SH256 hash:
f1a2c8e5da73bd931f2475bad35f0b46b01f35e5c39b1d8221cec8bb478bc1ef
MD5 hash:
031727acc690d345a50ea8c0bd1d5942
SHA1 hash:
fa1569a3ffe58c0958fd80bbb95c42bb9031727c
Link:
https://www.unpac.me/results/99b85a7d-730d-4f29-af71-69c1e0c931b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/f1a2c8e5da73bd931f2475bad35f0b46b01f35e5c39b1d8221cec8bb478bc1ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe f1a2c8e5da73bd931f2475bad35f0b46b01f35e5c39b1d8221cec8bb478bc1ef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/326846/

Comments