MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38ad7c6561e218160a0563cd037e4b55540f43d759e79183c189d223cc9fcde3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38ad7c6561e218160a0563cd037e4b55540f43d759e79183c189d223cc9fcde3
SHA3-384 hash: 286eac9fad0c9318a7c05a52e65a76a667ac20187df717d31270ce3c847b657e7215fe53b95a3580019a8d0ad44c5634
SHA1 hash: 50c56cc2605977718fb6682b93e6a5b6a7dac899
MD5 hash: 79aea033613048c39d1611d697ba4eab
humanhash: alabama-seven-india-shade
File name:PAYMENT.doc
Download: download sample
Signature AgentTesla
Create hunting rule
File size:217'189 bytes
First seen:2020-10-06 05:25:25 UTC
Last seen:2020-10-06 05:26:00 UTC
File type:Word file doc
MIME type:text/rtf
ssdeep 1536:97FSTvHyjtHv9Yr9qm2o6+uwNRR+eLUSJ+31Cy6mAgaeeVhMDw5wfLu:9oWraRDAw5wf6
TLSH 0C2464B831974864E749C81A5168B56D0AF5F2E374C54DB123EFE430DFA4FE0AF88286
Reporter cocaman
Tags:AgentTesla doc


Avatar
cocaman
Malicious email (T1566.001)
From: ""Yongha Yang(Nick)"<kenanakman@ajanskert.com>"
Received: "from post.portal-znaniy.ru (xn--80aauffipbdjmy.xn--p1ai [185.247.194.12]) "
Date: "Mon, 5 Oct 2020 14:18:30 -0700"
Subject: "RE:RE:RE:PAYMENT"
Attachment: "PAYMENT.doc"

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Launching a process
Sending an HTTP GET request
Launching a file downloaded from the Internet
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482253
Signature
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Microsoft Office creates scripting files
Multi AV Scanner detection for submitted file
Office process drops PE file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Powershell download and execute file
Sigma detected: Scheduled temp file as task from temp location
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293568 Sample: PAYMENT.doc Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 63 Antivirus / Scanner detection for submitted sample 2->63 65 Sigma detected: Powershell download and execute file 2->65 67 Sigma detected: Scheduled temp file as task from temp location 2->67 69 13 other signatures 2->69 9 WINWORD.EXE 305 46 2->9         started        process3 file4 47 C:\Users\user\AppData\Local\...\ebyjon[1].exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\FLED3C.tmp, 370 9->49 dropped 51 C:\Users\user\AppData\...\Abctfhghgdghgh .scT, data 9->51 dropped 53 C:\Users\user\AppData\Local\...\FC9EB000.png, 370 9->53 dropped 81 Document exploit detected (creates forbidden files) 9->81 83 Suspicious powershell command line found 9->83 85 Tries to download and execute files (via powershell) 9->85 87 3 other signatures 9->87 13 powershell.exe 12 7 9->13         started        18 powershell.exe 7 9->18         started        20 powershell.exe 7 9->20         started        22 3 other processes 9->22 signatures5 process6 dnsIp7 61 91.234.33.4, 49167, 49168, 80 THEHOST-ASUA Ukraine 13->61 59 C:\Users\user\AppData\Roaming\notepad.exe, PE32 13->59 dropped 89 Powershell drops PE file 13->89 24 notepad.exe 1 9 13->24         started        27 notepad.exe 18->27         started        30 notepad.exe 20->30         started        91 Injects files into Windows application 22->91 file8 signatures9 process10 file11 73 Machine Learning detection for dropped file 24->73 75 Injects a PE file into a foreign processes 24->75 77 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 24->77 32 schtasks.exe 24->32         started        34 notepad.exe 24->34         started        55 C:\Users\user\AppData\Local\...\tmp9E52.tmp, XML 27->55 dropped 79 Injects files into Windows application 27->79 36 notepad.exe 27->36         started        39 schtasks.exe 27->39         started        57 C:\Users\user\AppData\...\xlyfHgvOdnWexz.exe, PE32 30->57 dropped 41 notepad.exe 30->41         started        43 schtasks.exe 30->43         started        signatures12 process13 signatures14 71 Injects files into Windows application 36->71 45 dw20.exe 36->45         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38ad7c6561e218160a0563cd037e4b55540f43d759e79183c189d223cc9fcde3/
Threat name:
Script-VBS.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 12:54:56 UTC
File Type:
Document
Extracted files:
8
AV detection:
17 of 48 (35.42%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201006-ttmr2v98ys/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
NTFS ADS
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetThreadContext
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Exploit
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/38ad7c6561e218160a0563cd037e4b55540f43d759e79183c189d223cc9fcde3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Retefe
Create hunting rule
Author:bartblaze
Description:Retefe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file doc 38ad7c6561e218160a0563cd037e4b55540f43d759e79183c189d223cc9fcde3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments