MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ba4f059c9415076827016e1cab469b927fc59b7cbffabf210f38f9a0ed4f1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Maldoc score: 26


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00ba4f059c9415076827016e1cab469b927fc59b7cbffabf210f38f9a0ed4f1c
SHA3-384 hash: 60421085f24d6b9def12a50b9450e71cbe386c4d6f5dfe6cd02a8e68604429de55f7f5bde3a53d1b26550dc1c51375b3
SHA1 hash: 4722915714d0864eaac6a318f6d1b8d6f2403971
MD5 hash: 87af607899c7479d4e6f80a0acb4e3c8
humanhash: vegan-florida-double-washington
File name:SecuriteInfo.com.Exploit.Siggen3.16583.277.6124
Download: download sample
Signature AgentTesla
Create hunting rule
File size:769'024 bytes
First seen:2021-04-09 12:56:56 UTC
Last seen:2021-04-09 13:16:00 UTC
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 6144:pxEtjPOtioVjDGUU1qfDlavx+W2QnAJNDg4iU9Un2hsgshpiXhaeiMFMoXg8AYwy:aGK7KR7Q7SnRKfkx
TLSH 96F40762A683EE0FE3AF45704C5F7FF4BB29E9019B2F59936012E12A4D2DD11F345892
Reporter SecuriteInfoCom
Tags:AgentTesla

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 26
Application name is Microsoft Excel
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 46 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2384 bytesDocumentSummaryInformation
3224 bytesSummaryInformation
425672 bytesWorkbook
51540 bytes_VBA_PROJECT_CUR/PROJECT
6488 bytes_VBA_PROJECT_CUR/PROJECTwm
797 bytes_VBA_PROJECT_CUR/UserForm1/CompObj
8291 bytes_VBA_PROJECT_CUR/UserForm1/VBFrame
966 bytes_VBA_PROJECT_CUR/UserForm1/f
100 bytes_VBA_PROJECT_CUR/UserForm1/o
1197 bytes_VBA_PROJECT_CUR/UserForm2/CompObj
12291 bytes_VBA_PROJECT_CUR/UserForm2/VBFrame
13171 bytes_VBA_PROJECT_CUR/UserForm2/f
1472 bytes_VBA_PROJECT_CUR/UserForm2/o
1597 bytes_VBA_PROJECT_CUR/UserForm3/CompObj
16291 bytes_VBA_PROJECT_CUR/UserForm3/VBFrame
17167 bytes_VBA_PROJECT_CUR/UserForm3/f
1868 bytes_VBA_PROJECT_CUR/UserForm3/o
19950 bytes_VBA_PROJECT_CUR/VBA/Module1
2029441 bytes_VBA_PROJECT_CUR/VBA/Sheet1
2157303 bytes_VBA_PROJECT_CUR/VBA/Sheet10
22978 bytes_VBA_PROJECT_CUR/VBA/Sheet11
2357303 bytes_VBA_PROJECT_CUR/VBA/Sheet12
2457303 bytes_VBA_PROJECT_CUR/VBA/Sheet13
2557424 bytes_VBA_PROJECT_CUR/VBA/Sheet14
2657303 bytes_VBA_PROJECT_CUR/VBA/Sheet15
2729446 bytes_VBA_PROJECT_CUR/VBA/Sheet2
2829465 bytes_VBA_PROJECT_CUR/VBA/Sheet3
2929492 bytes_VBA_PROJECT_CUR/VBA/Sheet4
3029504 bytes_VBA_PROJECT_CUR/VBA/Sheet5
3129504 bytes_VBA_PROJECT_CUR/VBA/Sheet6
3257300 bytes_VBA_PROJECT_CUR/VBA/Sheet7
3357372 bytes_VBA_PROJECT_CUR/VBA/Sheet8
3457376 bytes_VBA_PROJECT_CUR/VBA/Sheet9
3564112 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
361319 bytes_VBA_PROJECT_CUR/VBA/UserForm1
371167 bytes_VBA_PROJECT_CUR/VBA/UserForm2
381168 bytes_VBA_PROJECT_CUR/VBA/UserForm3
396343 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
403352 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
41194 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
422044 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
43234 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
44136 bytes_VBA_PROJECT_CUR/VBA/__SRP_4
45104 bytes_VBA_PROJECT_CUR/VBA/__SRP_5
461265 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
AutoExecUserForm_ClickRuns when the file is opened and ActiveX objects trigger events
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
Suspiciousadodb.streamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousShell.ApplicationMay run an application (if combined with CreateObject)
Suspiciousmicrosoft.xmlhttpMay download files from the Internet
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousXorMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) code and P-code are different, this may have been used to hide malicious code

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Oder.xls
Verdict:
No threats detected
Analysis date:
2021-04-09 09:11:53 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/4156cc89-2e71-4b83-805b-e7250d8aac52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133373/
Detection(s):
MiscreantPunch.EvilMacro.DL.170224.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.StatusIsLikeAFriend.20210201.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Exploit.Siggen3.16583.277.6124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/00ba4f059c9415076827016e1cab469b927fc59b7cbffabf210f38f9a0ed4f1c/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/00ba4f059c9415076827016e1cab469b927fc59b7cbffabf210f38f9a0ed4f1c
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/671364
Signature
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384626 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 09/04/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 14 other signatures 2->75 7 EXCEL.EXE 148 26 2->7         started        12 gqxRqe.exe 2 2->12         started        14 gqxRqe.exe 2 2->14         started        process3 dnsIp4 57 smartzonuae.com 199.250.214.202, 49167, 80 IMH-WESTUS United States 7->57 59 www.smartzonuae.com 7->59 51 C:\Users\user\AppData\Roaming\...\FVVPPD.exe, PE32 7->51 dropped 53 C:\Users\user\...\pilentotioprom[1].exe, PE32 7->53 dropped 85 Document exploit detected (creates forbidden files) 7->85 16 FVVPPD.exe 1 8 7->16         started        87 Multi AV Scanner detection for dropped file 12->87 20 schtasks.exe 12->20         started        22 gqxRqe.exe 12->22         started        24 gqxRqe.exe 12->24         started        32 3 other processes 12->32 26 schtasks.exe 14->26         started        28 gqxRqe.exe 14->28         started        30 gqxRqe.exe 14->30         started        34 3 other processes 14->34 file5 signatures6 process7 file8 43 C:\Users\user\AppData\...KwzDbHUeF.exe, PE32 16->43 dropped 45 C:\Users\user\AppData\Local\Temp\tmp2FE.tmp, XML 16->45 dropped 61 Multi AV Scanner detection for dropped file 16->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->65 67 2 other signatures 16->67 36 FVVPPD.exe 13 12 16->36         started        41 schtasks.exe 16->41         started        signatures9 process10 dnsIp11 55 199.188.200.93, 12082, 21, 49168 NAMECHEAP-NETUS United States 36->55 47 C:\Users\user\AppData\Roaming\...\gqxRqe.exe, PE32 36->47 dropped 49 C:\Windows\System32\drivers\etc\hosts, ASCII 36->49 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->77 79 Tries to steal Mail credentials (via file access) 36->79 81 Tries to harvest and steal ftp login credentials 36->81 83 3 other signatures 36->83 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00ba4f059c9415076827016e1cab469b927fc59b7cbffabf210f38f9a0ed4f1c/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 01:16:07 UTC
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ac5e6bm4sqkqo2bhafxbzk2gtojh7rm3ps77vpzbb44ptihnj4oa._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger macro macro_on_action persistence spyware stealer trojan
Link:
https://tria.ge/reports/210409-1n84bskzpe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00ba4f059c9415076827016e1cab469b927fc59b7cbffabf210f38f9a0ed4f1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_OLE_Suspicious_ActiveX
Create hunting rule
Author:ditekSHen
Description:detects OLE documents with suspicious ActiveX content
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133373/

Comments