MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Maldoc score: 4


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da
SHA3-384 hash: 6d70fc02e56575a090c188329a42b8f178b0b5d682cd39552fcdf378eb26d7438c290f8f8eba39f3f4d19bb4a21892e2
SHA1 hash: 836930ccc7c844d908011339ef6b9e2fc28f32c8
MD5 hash: a87cc6a4bb0d644ad85c6f31b4bcbed8
humanhash: montana-speaker-papa-romeo
File name:Fattura N.25 del 30092023.xls
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'180'160 bytes
First seen:2023-11-08 12:29:56 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:CuBSw6/uZyn3bVmw6/WZyo3bVEwkP5K8vSDX8n1FUGSEqY:J6/4q3bVR6/AP3bVE/5/Pn1O5G
TLSH T16D45DF03A8408B83D41C83F46EE74EE91F1ABF09EA916ADF11597F0B3E707721D5A51A
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:AgentTesla CVE-2017-11882 xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 52 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
494 bytesMBD0017F7E3/CompObj
562 bytesMBD0017F7E3/Ole
620409 bytesMBD0017F7E3/CONTENTS
794 bytesMBD0017F7E4/CompObj
862 bytesMBD0017F7E4/Ole
912169 bytesMBD0017F7E4/CONTENTS
1094 bytesMBD0017F7E5/CompObj
1162 bytesMBD0017F7E5/Ole
127284 bytesMBD0017F7E5/CONTENTS
1394 bytesMBD0017F7E6/CompObj
1462 bytesMBD0017F7E6/Ole
1564830 bytesMBD0017F7E6/CONTENTS
1693 bytesMBD0017F7E7/CompObj
1764 bytesMBD0017F7E7/Ole
18124841 bytesMBD0017F7E7/CONTENTS
19114 bytesMBD0017F7E8/CompObj
20708 bytesMBD0017F7E8/DocumentSummaryInformation
2123248 bytesMBD0017F7E8/SummaryInformation
2297872 bytesMBD0017F7E8/Workbook
23414 bytesMBD0017F7E8/_VBA_PROJECT_CUR/PROJECT
2462 bytesMBD0017F7E8/_VBA_PROJECT_CUR/PROJECTwm
25977 bytesMBD0017F7E8/_VBA_PROJECT_CUR/VBA/Sheet1
26985 bytesMBD0017F7E8/_VBA_PROJECT_CUR/VBA/ThisWorkbook
272329 bytesMBD0017F7E8/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
28517 bytesMBD0017F7E8/_VBA_PROJECT_CUR/VBA/dir
2994 bytesMBD0017F7E9/CompObj
3062 bytesMBD0017F7E9/Ole
3164830 bytesMBD0017F7E9/CONTENTS
3293 bytesMBD0017F7EA/CompObj
3364 bytesMBD0017F7EA/Ole
34124841 bytesMBD0017F7EA/CONTENTS
35114 bytesMBD0017F7EB/CompObj
36708 bytesMBD0017F7EB/DocumentSummaryInformation
3723248 bytesMBD0017F7EB/SummaryInformation
3897808 bytesMBD0017F7EB/Workbook
390 bytesMBD0017F7EB/_VBA_PROJECT_CUR/VBA/Sheet1
400 bytesMBD0017F7EB/_VBA_PROJECT_CUR/VBA/ThisWorkbook
410 bytesMBD0017F7EB/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
421782 bytesMBD0017F7EC/OlE10nATivE
4320 bytesMBD0017F7EC/Ole
44476068 bytesWorkbook
45529 bytes_VBA_PROJECT_CUR/PROJECT
46104 bytes_VBA_PROJECT_CUR/PROJECTwm
47977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
48977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
49977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
50985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
512644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
52553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12790.22077.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.19728.9505.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.1282.16692.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.25106.3990.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file in the %AppData% directory
Сreating synchronization primitives
Creating a file
Sending an HTTP GET request
Forced shutdown of a system process
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
92%
Tags:
embedequation exploit exploit macros shellcode sload
Link:
https://www.filescan.io/uploads/654b7f643b0c3d6626078996/reports/b6df0fb1-fbaa-41bb-bdbd-644130593ab9/overview
Verdict:
Malicious
Labled as:
CVE-2018-0802
Link:
https://www.hybrid-analysis.com/sample/0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da
Label:
Benign
Suspicious Score:
3.2/10
Score Malicious:
33%
Score Benign:
67%
Link:
https://www.malware.ai/gui/files/?id=9188ae86-ad29-4884-91e3-69a9c0513784
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1339008
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339008 Sample: Fattura_N.25_del_30092023.xls Startdate: 08/11/2023 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 12 other signatures 2->54 7 EQNEDT32.EXE 12 2->7         started        12 EQNEDT32.EXE 10 2->12         started        14 AcroRd32.exe 33 2->14         started        16 EXCEL.EXE 58 66 2->16         started        process3 dnsIp4 36 104.129.27.214, 49162, 80 ASN-QUADRANET-GLOBALUS United States 7->36 32 C:\Users\user\AppData\Roaming\IGCC.exe, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Local\...\IGCC[1].exe, PE32+ 7->34 dropped 66 Office equation editor establishes network connection 7->66 68 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->68 18 IGCC.exe 7->18         started        21 IGCC.exe 12->21         started        23 RdrCEF.exe 2 14->23         started        file5 signatures6 process7 dnsIp8 56 Multi AV Scanner detection for dropped file 18->56 58 Machine Learning detection for dropped file 18->58 60 Writes to foreign memory regions 18->60 26 CasPol.exe 4 18->26         started        62 Allocates memory in foreign processes 21->62 64 Injects a PE file into a foreign processes 21->64 30 CasPol.exe 21->30         started        38 192.168.2.255, 137, 138 unknown unknown 23->38 signatures9 process10 dnsIp11 40 mail.bretoffice.com 26->40 42 bretoffice.com 26->42 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->72 74 Tries to steal Mail credentials (via file / registry access) 26->74 44 mail.bretoffice.com 30->44 46 bretoffice.com 30->46 76 Tries to harvest and steal browser information (history, passwords, etc) 30->76 78 Installs a global keyboard hook 30->78 signatures12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2023-11-08 08:37:44 UTC
File Type:
Document
Extracted files:
111
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bke3hcudwmmqcbr37mcnmhqn235jvvyruhzhsj5hbliinem6slna._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231108-pphbrsce58/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
AgentTesla
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a89b38a83b3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1
Create hunting rule
Author:ditekSHen
Description:detects OLE documents potentially exploiting CVE-2017-11882
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xls 0a89b38a83b31901063bfb04d61e0dd6fa9ad711a1f27927a70ad086919e92da

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments