MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 28bc4257b36bcf0688dbe3019b3e92fae0dc8b693f48d008a2fa8358602aaf61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 10
Maldoc score: 27
| SHA256 hash: | 28bc4257b36bcf0688dbe3019b3e92fae0dc8b693f48d008a2fa8358602aaf61 |
|---|---|
| SHA3-384 hash: | 16c7d779c09793cca55df7049425685d053f92bc51f6f3545409ad71884ea4be9a50955c0527c1f21d8fdd28a52d78d9 |
| SHA1 hash: | 6e4a9097c35b51d1915ea910bebf965f6d668d6b |
| MD5 hash: | 35ad73eb3c1e2d5f2cdbf5109e98dd06 |
| humanhash: | mockingbird-london-kilo-april |
| File name: | Quote Request.xlsm |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 2'155'951 bytes |
| First seen: | 2021-08-30 09:29:44 UTC |
| Last seen: | Never |
| File type: |  xlsm |
| MIME type: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
| ssdeep | 1536:vLi+KTu00nIcjELc8E16ZDV7zgEqN+vlNTBZqe3p:zWp0n98E16ZDV7cEqN+vCeZ |
| TLSH | T167A538B9FE13D4C6C5C86374CCE30F9C377691AAA741171786A81039EEE37585E9E882 |
| Reporter |  lowmal3 |
| Tags: | AgentTesla xlsm |
Office OLE Information
This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.
OLE id
| Maldoc score: 27 |
OLE dump
MalwareBazaar was able to identify 26 sections in this file using oledump:
| Section ID | Section size | Section name |
|---|---|---|
| A1 | 76 bytes | CompObj |
| A2 | 2390 bytes | Ole10Native |
| B1 | 76 bytes | CompObj |
| B2 | 68068 bytes | Ole10Native |
| C1 | 102 bytes | CompObj |
| C2 | 62 bytes | Ole |
| C3 | 256 bytes | Equation Native |
| D1 | 662 bytes | PROJECT |
| D2 | 173 bytes | PROJECTwm |
| D3 | 740 bytes | VBA/Module1 |
| D4 | 89413 bytes | VBA/Module2 |
| D5 | 991 bytes | VBA/Sheet1 |
| D6 | 991 bytes | VBA/Sheet2 |
| D7 | 991 bytes | VBA/Sheet3 |
| D8 | 991 bytes | VBA/Sheet4 |
| D9 | 999 bytes | VBA/ThisWorkbook |
| D10 | 4730 bytes | VBA/_VBA_PROJECT |
| D11 | 2321 bytes | VBA/__SRP_0 |
| D12 | 357 bytes | VBA/__SRP_1 |
| D13 | 280 bytes | VBA/__SRP_2 |
| D14 | 494 bytes | VBA/__SRP_3 |
| D15 | 638 bytes | VBA/dir |
OLE vba
MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:
| Type | Keyword | Description |
|---|---|---|
| AutoExec | Auto_Open | Runs when the Excel Workbook is opened |
| Hex String | vVEFV | 7656454656 |
| IOC | SHELL32.dll | Executable file name |
| Suspicious | Open | May open a file |
| Suspicious | write | May write to a file (if combined with Open) |
| Suspicious | Kill | May delete a file |
| Suspicious | vbNormal | May run an executable file or a system command |
| Suspicious | run | May run an executable file or a system command |
| Suspicious | ShellExecuteA | May run an executable file or a system command |
| Suspicious | SHELL32 | May run an executable file or a system command |
| Suspicious | Create | May execute file or a system command through WMI |
| Suspicious | GetObject | May get an OLE object with a running instance |
| Suspicious | Lib | May run code from a DLL |
| Suspicious | exec | May run an executable file or a system |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) |
| Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) |
Intelligence
File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quote Request.xlsm
Verdict:
Malicious activity
Analysis date:
2021-08-30 09:31:40 UTC
Tags:
macros ole-embedded macros-on-open exploit CVE-2017-11882 loader
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Changing the Zone.Identifier stream
Launching a process
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Moving a file to the %temp% directory
Running batch commands
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Running batch commands by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Clean
File Type:
OOXML Office File
Result
Verdict:
MALICIOUS
Link:
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
expl.evad.troj
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Document contains a stream with embedded javascript code
Document contains an embedded macro with GUI obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Microsoft Office drops suspicious files
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
Script-WScript.Trojan.Heuristic
Status:
Malicious
First seen:
2021-08-30 09:30:09 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
2/5
Detection(s):
Suspicious file
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
NTFS ADS
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.