MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Maldoc score: 25


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6
SHA3-384 hash: 86788d82414cceee0c34b22f70c5b3d4ea0235bd4020fe7fb903aeff3acb4baa63ff7d2547492b72d6ac5662fe2ede7b
SHA1 hash: 0ce87f1116fe287bc9415a051af23c81d27449c1
MD5 hash: eab9dd0c6c9970b12851dc56c8e77ebb
humanhash: friend-eighteen-fix-summer
File name:SOA May.xlt
Download: download sample
Signature AgentTesla
Create hunting rule
File size:725'504 bytes
First seen:2021-05-10 06:30:13 UTC
Last seen:2021-05-10 07:02:34 UTC
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 12288:yLU1kGQBQ+iU7qJEiCTeqo6w7krCfIasvhpfqKmiQqDl6fXdKTNVGQoUYSdCK0xU:yLU1GQ+ifN0WvfIdfqKmdGIfX8LG/+qU
TLSH CBF41255BA91CC4BC64207B50DA5D7D4271BFC109E77C24B3284F32F6E366B0CA936AA
Reporter abuse_ch
Tags:AgentTesla xlt

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 25
Application name is Microsoft Excel
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 17 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2244 bytesDocumentSummaryInformation
3224 bytesSummaryInformation
4684847 bytesWorkbook
5596 bytes_VBA_PROJECT_CUR/PROJECT
6146 bytes_VBA_PROJECT_CUR/PROJECTwm
7831 bytes_VBA_PROJECT_CUR/VBA/Module1
8993 bytes_VBA_PROJECT_CUR/VBA/Sheet1
9993 bytes_VBA_PROJECT_CUR/VBA/Sheet2
10993 bytes_VBA_PROJECT_CUR/VBA/Sheet3
1111867 bytes_VBA_PROJECT_CUR/VBA/ThisWorkouiuhjbook
124753 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
133101 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
14322 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
151020 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
161868 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
17634 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoExecRuns when the Word document is opened
AutoExecAutoOpenRuns when the Word document is opened
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
IOCwebservices.dllExecutable file name
IOCgameux.dllExecutable file name
IOCshell32.dllExecutable file name
IOCFntCache.dllExecutable file name code and P-code are different, this may have been used to hide malicious code
SuspiciousEnvironMay read system environment variables
SuspiciousopenMay open a file
SuspiciousvbNormalFocusMay run an executable file or a system command
SuspiciousShellExecuteAMay run an executable file or a system command
Suspiciousshell32May run an executable file or a system command
SuspiciousLibMay run code from a DLL
SuspiciousURLDownloadToFileAMay download files from the Internet
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousStrReverseMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA May.xlt
Verdict:
No threats detected
Analysis date:
2021-05-10 06:54:16 UTC
Tags:
macros macros-on-open
Link:
https://app.any.run/tasks/300fc433-0750-476d-8b00-b73f5e82faca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153716/
Detection(s):
TwinWave.EvilDoc.URLDownloaderSuperStar.20200510.UNOFFICIAL
Create hunting rule

TwinWave.EvilDocs.FuncStacksJustWannaHaveFUN.20210129.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.ShellExe.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
expl.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/721164
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: MS Office Product Spawning Exe in User Dir
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 409509 Sample: SOA May.xlt Startdate: 10/05/2021 Architecture: WINDOWS Score: 100 47 tractorandinas.com 2->47 49 ftp.tractorandinas.com 2->49 65 Found malware configuration 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 11 other signatures 2->71 8 EXCEL.EXE 32 36 2->8         started        12 Vaijia.exe 15 2->12         started        15 Vaijia.exe 16 2->15         started        signatures3 process4 dnsIp5 51 onedrive.live.com 8->51 53 j98x7w.am.files.1drv.com 8->53 55 dm-files.fe.1drv.com 8->55 37 C:\Users\user\ctci.exe, PE32 8->37 dropped 39 C:\...\Cprtoifhsdfghdfjmcnbjmxgfoom[1].exe, PE32 8->39 dropped 17 ctci.exe 1 25 8->17         started        57 onedrive.live.com 12->57 61 2 other IPs or domains 12->61 83 Multi AV Scanner detection for dropped file 12->83 85 Detected unpacking (changes PE section rights) 12->85 87 Detected unpacking (overwrites its own PE header) 12->87 89 4 other signatures 12->89 22 Vaijia.exe 2 12->22         started        59 onedrive.live.com 15->59 63 2 other IPs or domains 15->63 file6 signatures7 process8 dnsIp9 41 onedrive.live.com 17->41 43 dxx05q.am.files.1drv.com 17->43 45 dm-files.fe.1drv.com 17->45 29 C:\Users\Public\Vaijia\Vaijia.exe, PE32 17->29 dropped 31 C:\Users\Public31etplwiz.exe, PE32+ 17->31 dropped 33 C:\Users\Public33ETUTILS.dll, PE32+ 17->33 dropped 73 Multi AV Scanner detection for dropped file 17->73 75 Detected unpacking (changes PE section rights) 17->75 77 Detected unpacking (overwrites its own PE header) 17->77 79 5 other signatures 17->79 24 ctci.exe 2 17->24         started        27 cmd.exe 17->27         started        35 C:\Windows\System32\drivers\etc\hosts, ASCII 22->35 dropped file10 signatures11 process12 signatures13 81 Modifies the hosts file 24->81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6/
Threat name:
Script-Macro.Trojan.Sadoca
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 05:21:22 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=draj73rw3wstg7xtidouqdms7p3i3jul5yvcr4th333lxnrxkx3a._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger macro macro_on_action persistence spyware stealer trojan
Link:
https://tria.ge/reports/210510-k6xvw7n5yx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153716/

Comments