MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353
SHA3-384 hash: 84e4bdf9d39b95327956d453c82964199329abddf10c6ce272c71cebfffb6bedae7f027175e7c16400163f998e44a39b
SHA1 hash: c0c6c5e57968b372b30a939cc2db89b93acc99b1
MD5 hash: f9d2f6aa2818e3650ad78eca52d06ad7
humanhash: april-salami-florida-harry
File name:DHL Import Duty Invoice.ppam
Download: download sample
Signature AgentTesla
Create hunting rule
File size:6'008 bytes
First seen:2021-10-27 10:19:38 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 96:Y7XwkNP1X61QRZFdUlT1xtAEf2NqIMCnYOZpiNmk6MTPQGkr:Y7XHPJUlZEvNDTn1YkTG8
TLSH T1F5C1AFD1FF4FB199C7070B390115A56A7D15FA16AEC91177D48A11108DE13F70B0328F
Reporter abuse_ch
Tags:AgentTesla DHL ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.AutoTriggerEvilMrFantasyM3.20200721.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.MSHTAHEYAAAAHEYAAAA.20210714.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353/results/dashboard
Payload URLs
URL
File name
https://www.bitly.com/'
ajsdoaksodkasodk.b
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open sload
Link:
https://www.filescan.io/uploads/617927d69a5a1e91c5d6ecc1/reports/22ac2b6c-a056-4ca6-9319-765774db59e1/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877639
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Command shell drops VBS files
Compiles code for process injection (via .Net compiler)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Disables Windows Defender (via service or powershell)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510069 Sample: DHL Import Duty Invoice.ppam Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 92 www.google.com 2->92 94 media-router.wixstatic.com 2->94 96 3 other IPs or domains 2->96 128 Antivirus detection for dropped file 2->128 130 Multi AV Scanner detection for submitted file 2->130 132 Yara detected AgentTesla 2->132 134 14 other signatures 2->134 10 POWERPNT.EXE 501 23 2->10         started        13 mshta.exe 2->13         started        17 mshta.exe 1 19 2->17         started        19 13 other processes 2->19 signatures3 process4 dnsIp5 84 C:\Users\...\~$DHL Import Duty Invoice.ppam, data 10->84 dropped 21 mshta.exe 6 58 10->21         started        114 www.google.com 13->114 122 5 other IPs or domains 13->122 86 C:\Users\user\AppData\Local\...\13[2].htm, HTML 13->86 dropped 162 Very long command line found 13->162 26 cmd.exe 13->26         started        116 www.blogger.com 17->116 124 4 other IPs or domains 17->124 88 C:\Users\user\AppData\Local\...\13[1].htm, HTML 17->88 dropped 164 Creates processes via WMI 17->164 118 www.google.com 19->118 120 www.google.com 19->120 126 25 other IPs or domains 19->126 90 C:\Users\user\AppData\Local\...\13[3].htm, HTML 19->90 dropped 28 cmd.exe 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 19->32         started        34 5 other processes 19->34 file6 signatures7 process8 dnsIp9 108 gstaticadssl.l.google.com 142.250.184.195, 443, 49788, 49798 GOOGLEUS United States 21->108 110 blogger.l.google.com 142.250.184.201, 443, 49771, 49772 GOOGLEUS United States 21->110 112 11 other IPs or domains 21->112 80 C:\Users\user\AppData\Local\...\13[1].htm, HTML 21->80 dropped 148 Creates autostart registry keys with suspicious values (likely registry only malware) 21->148 150 Creates multiple autostart registry keys 21->150 152 Creates an autostart registry key pointing to binary in C:\Windows 21->152 160 2 other signatures 21->160 36 powershell.exe 15 23 21->36         started        41 taskkill.exe 1 21->41         started        43 taskkill.exe 1 21->43         started        45 schtasks.exe 1 21->45         started        154 Potential malicious VBS script found (suspicious strings) 26->154 156 Potential malicious VBS script found (has network functionality) 26->156 158 Command shell drops VBS files 26->158 47 wscript.exe 26->47         started        49 conhost.exe 26->49         started        82 C:\Users\Public\hulalalMCROSOFT.vbs, ASCII 28->82 dropped 51 conhost.exe 28->51         started        file10 signatures11 process12 dnsIp13 98 gcp.media-router.wixstatic.com 34.102.176.152, 443, 49823, 49835 GOOGLEUS United States 36->98 100 media-router.wixstatic.com 36->100 102 92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com 36->102 70 C:\Users\user\AppData\...\d25qjgcg.cmdline, UTF-8 36->70 dropped 72 C:\Users\user\AppData\Local\...\d25qjgcg.0.cs, C++ 36->72 dropped 136 Writes to foreign memory regions 36->136 138 Compiles code for process injection (via .Net compiler) 36->138 140 Injects a PE file into a foreign processes 36->140 53 csc.exe 36->53         started        56 conhost.exe 36->56         started        58 jsc.exe 36->58         started        60 conhost.exe 41->60         started        62 conhost.exe 43->62         started        64 conhost.exe 45->64         started        104 media-router.wixstatic.com 47->104 106 deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com 47->106 74 C:\Users\Public\yyyy1.vbs, data 47->74 dropped 76 C:\Users\Public\xxx1.txt, ASCII 47->76 dropped 142 System process connects to network (likely due to code injection or exploit) 47->142 144 Windows Shell Script Host drops VBS files 47->144 146 Creates processes via WMI 47->146 66 wscript.exe 47->66         started        file14 signatures15 process16 file17 78 C:\Users\user\AppData\Local\...\d25qjgcg.dll, PE32 53->78 dropped 68 wscript.exe 66->68         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353/
Threat name:
Script-Macro.Dropper.Powdow
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 10:20:06 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3l4wb2xmx26lkz5tabb2t67h2autbyjiuvptgrcb47ygh7emnjq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211027-mc4ywsbfg6/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Checks processor information in registry
Creates scheduled task(s)
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

PowerPoint file ppam 3ed7cb075765f5e5ab3d98021d4fdf3e81498709452af99a220f3f831fe46353

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1695668/
  
Delivery method
Distributed via e-mail attachment

Comments