MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 4 Comments

SHA256 hash: 191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef
SHA3-384 hash: da0c20d0d7592419ac00a8fdb9c570bb1bcdf60fbf46b24630b24747a4090172c4dccbae66457e7a89f9db3d52f05141
SHA1 hash: ecaf75e4135bb8f585ce31249d3284871dc4d042
MD5 hash: 2cb0d10d142dcee0d4f941ee11492746
humanhash: mars-carpet-uncle-mountain
File name:PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm
Download: download sample
Signature AgentTesla
File size:140'575 bytes
First seen:2020-07-31 16:14:56 UTC
Last seen:2020-07-31 16:49:01 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 3072:Vl75/5BOG4kgGkmlWADTvu4+P697QV/P3v/Oh06aA0:Vll/qGNJkmMGu697QV/Pf2m6aA0
TLSH 72D3F1827355F5CFF5D287B1A04367EB33D68A989E09DA55A043F2BC2D70C232B16E54
Reporter @abuse_ch
Tags:AgentTesla xlsm


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: mail.sharpsing.com
Sending IP: 175.45.16.2
From: Elise VILLE <e.ville@sharpsing.com>
Subject: FW:PO_10032885_Mahler-Besse_2_16_2020_1207.xls
Attachment: PO_10032885_Mahler-Besse_2_16_2020_1207.xls.xlsm

AgentTesla payload URL:
http://baolanh.vn/modules/jmsslider/views/img/layers/FriKanya.exe

AgentTesla SMTP exfil server:
mail.cam-asean.com:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
55
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: MS Office Product Spawning Exe in User Dir
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255480 Sample: PO_10032885_Mahler-Besse_2_... Startdate: 01/08/2020 Architecture: WINDOWS Score: 100 42 g.msn.com 2->42 44 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->44 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Document exploit detected (drops PE files) 2->64 66 13 other signatures 2->66 8 EXCEL.EXE 34 41 2->8         started        13 MyKanyAasean.exe 2 2->13         started        15 MyKanyAasean.exe 1 2->15         started        signatures3 process4 dnsIp5 46 baolanh.vn 112.213.88.125, 49713, 80 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 8->46 34 C:\Users\user\AppData\...\FriKanya[1].exe, PE32 8->34 dropped 36 C:\Users\Public\svchost32.exe, PE32 8->36 dropped 38 ~$PO_10032885_Mahl..._2020_1207.xls.xlsm, data 8->38 dropped 68 Document exploit detected (creates forbidden files) 8->68 70 Document exploit detected (process start blacklist hit) 8->70 17 svchost32.exe 4 8->17         started        21 splwow64.exe 8->21         started        23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        file6 signatures7 process8 file9 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 17->32 dropped 54 Writes to foreign memory regions 17->54 56 Allocates memory in foreign processes 17->56 58 Injects a PE file into a foreign processes 17->58 27 AddInProcess32.exe 17 16 17->27         started        signatures10 process11 dnsIp12 48 mail.cam-asean.com 107.180.12.39, 49739, 587 AS-26496-GO-DADDY-COM-LLCUS United States 27->48 50 checkip.us-east-1.prod.check-ip.aws.a2z.com 3.209.167.237, 49738, 80 AMAZON-AESUS United States 27->50 52 2 other IPs or domains 27->52 40 C:\Users\user\AppData\...\MyKanyAasean.exe, PE32 27->40 dropped 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->72 74 Tries to steal Mail credentials (via file access) 27->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 27->76 78 5 other signatures 27->78 file13 signatures14
Threat name:
Script-Macro.Trojan.Bluteal
Status:
Malicious
First seen:
2020-07-31 16:16:06 UTC
AV detection:
12 of 31 (38.71%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Executes dropped EXE
AgentTesla Payload
AgentTesla
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm 191c3798be77e205711c854c27a25152dcc6185858f95e404ad71fd34c7214ef

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments