MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513
SHA3-384 hash: 4c8e1cfb4ed586a772f0ecb3749c5ff9f91cb0cc9c95f2ec1d62f938841e3256366eae4a5c0f41ab590bfeb166f17123
SHA1 hash: bed0b866c6b8cc1048153b22e96a51f464d6582b
MD5 hash: 858604f0166fa58fe09e96988a87477c
humanhash: fillet-green-pizza-salami
File name:PO944888299393.pps
Download: download sample
Signature AgentTesla
Create hunting rule
File size:79'360 bytes
First seen:2021-04-22 06:18:46 UTC
Last seen:2021-04-23 06:43:58 UTC
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 384:tOAQWXO//qzb0cutqxKcur3E3Sr4F1URKMxpcksPY:DXo4YcYw03qSMF1wxWksPY
TLSH 7A73700075F8E114E4212A718DE3F7DA2234BD539F2A073772B4335E1D3A9A5BA40BB9
Reporter TeamDreier
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
5
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SMTP[1] (32).eml
Verdict:
Malicious activity
Analysis date:
2021-04-22 04:02:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ef741c9b-ba85-4c5c-beab-32562b47fb85

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.200401.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.AutoExecSeparateWays.20200818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Suspicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513/results/dashboard
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692327
Signature
Command shell drops VBS files
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 395117 Sample: PO944888299393.pps Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 58 papagunnakjdnmwdnwmndwm.blogspot.com 2->58 60 blogspot.l.googleusercontent.com 2->60 86 Multi AV Scanner detection for submitted file 2->86 88 Sigma detected: Powershell execute code from registry 2->88 90 Sigma detected: Schedule script from internet via mshta 2->90 92 Document exploit detected (process start blacklist hit) 2->92 10 cmd.exe 1 2->10         started        12 taskeng.exe 1 2->12         started        14 mshta.exe 2->14         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 19 POWERPNT.EXE 142 12 10->19         started        21 mshta.exe 10 12->21         started        23 powershell.exe 14->23         started        52 archive.org 207.241.224.2, 443, 49179, 49193 INTERNET-ARCHIVEUS United States 16->52 54 ia801503.us.archive.org 207.241.228.153, 443, 49177, 49190 INTERNET-ARCHIVEUS United States 16->54 56 17 other IPs or domains 16->56 26 powershell.exe 16->26         started        28 powershell.exe 16->28         started        process6 dnsIp7 30 mshta.exe 13 50 19->30         started        34 mshta.exe 20 21->34         started        62 ia803401.us.archive.org 23->62 64 ia801503.us.archive.org 23->64 66 archive.org 23->66 68 ia803401.us.archive.org 26->68 70 ia801503.us.archive.org 26->70 72 archive.org 26->72 process8 dnsIp9 74 j.mp 67.199.248.16, 49167, 80 GOOGLE-PRIVATE-CLOUDUS United States 30->74 76 www.j.mp 30->76 82 5 other IPs or domains 30->82 98 Very long command line found 30->98 100 Creates autostart registry keys with suspicious values (likely registry only malware) 30->100 102 Creates multiple autostart registry keys 30->102 104 4 other signatures 30->104 36 schtasks.exe 30->36         started        38 taskkill.exe 30->38         started        40 taskkill.exe 30->40         started        78 www.blogger.com 34->78 80 getyournewblog.blogspot.com 34->80 42 cmd.exe 34->42         started        signatures10 process11 file12 50 C:\Users\Public\SiggiaW.vbs, ASCII 42->50 dropped 94 Potential malicious VBS script found (has network functionality) 42->94 96 Command shell drops VBS files 42->96 46 wscript.exe 42->46         started        signatures13 process14 dnsIp15 84 ia601502.us.archive.org 207.241.227.112, 443, 49198 INTERNET-ARCHIVEUS United States 46->84 106 System process connects to network (likely due to code injection or exploit) 46->106 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 22:04:16 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger macro persistence spyware stealer trojan
Link:
https://tria.ge/reports/210422-cqxxx5rs1x/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Malware Config
C2 Extraction:
http://103.133.105.179/909/inc/29e2365d4334a8.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18b7a818fd88133d309ce7191e9c3eb85a3b31d0bbaf2c08df0f1cbdc26a7513

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments