MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Maldoc score: 28


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c
SHA3-384 hash: 041f75b07bbf771370daf4d6c4fdffb6d26a33b1f175116aefeb9ac32fbc33e28b67e2f31932e84d96feb62b79aa0519
SHA1 hash: be8f043b1f908c6daafdcfef19ecd673fcdc15bf
MD5 hash: c70e07ea0c3eb0fba3833e49ffc4b88e
humanhash: freddie-charlie-island-november
File name:c70e07ea0c3eb0fba3833e49ffc4b88e.doc
Download: download sample
Signature AgentTesla
Create hunting rule
File size:218'112 bytes
First seen:2024-01-05 18:47:59 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 3072:dTlh0dE2nF88MbEOIJDT/MI0+HmksYJR:h2O6JXnGk
TLSH T1FC24DD285BD7B311C09EE5302F6A7A9BB171AC4FBBDE71F600C6B93828F511259C7258
TrID 52.6% (.DOC) Microsoft Word document (30000/1/2)
33.3% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
14.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter smica83
Tags:doc LTU

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 28
OLE dump

MalwareBazaar was able to identify 13 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
416672 bytes1Table
55050 bytesData
6542 bytesMacros/PROJECT
7101 bytesMacros/PROJECTwm
81143 bytesMacros/VBA/ThisDocument
93256 bytesMacros/VBA/_VBA_PROJECT
10618 bytesMacros/VBA/dir
11139777 bytesMacros/VBA/loibnonfa
121201 bytesMacros/VBA/upehgwllo
1334935 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
AutoExecDocument_CloseRuns when the Word document is closed
Hex Stringrsrc72737263
Hex Stringileupda696c6575706461
Hex Stringtware7477617265
Hex StringurrentVers757272656e7456657273
Hex Stringkapg6b617067
Hex StringOwtBkHAV
Hex StringdbqVR6462715652
Hex StringfKfl664b666c
Hex StringKlSMkOQo4b6c534d6b4f516f
Hex StringJAZBC
Hex Stringv4.0.76342e302e
Hex String303193330333139
Hex String11a131316131
Hex StringConsol436f6e736f6c
Hex StringeApp16541707031
Hex Stringicrosoft.W6963726f736f66742e57
Hex Stringin32696e3332
Hex Stringget_U6765745f55
Hex StringqBBQQ7142425151
Hex String4oCAQ346f434151
Hex String4ZqAQ345a714151
Hex StringRDZBOEI0NDU52445a424f4549304e4455
Hex StringtODY744f4459
Hex StringC00MUYwLUEzOTMtM0ZCM4330304d5559774c55457a4f544d744d305a434d44413 5
Hex StringNkZFNj4e6b5a464e6a
Hex StringJEQUFB4a4551554642
Hex StringSyst53797374
Hex Stringem.IO656d2e494f
Hex Stringrlib726c6962
Hex StringThre54687265
Hex Stringset_Me7365745f4d65
Hex Stringthod74686f64
Hex Stringset_Mo7365745f4d6f
Hex StringPaddi5061646469
Hex StringngMode6e674d6f6465
Hex StringCiph43697068
Hex Stringable61626c65
Hex StringIDis49446973
Hex Stringposable706f7361626c65
Hex StringRuntim52756e74696d
Hex StringieldHand69656c6448616e64
Hex StringFile46696c65
Hex Stringt_FileN745f46696c654e
Hex StringWrite5772697465
Hex StringLine4c696e65
Hex StringValueT56616c756554
Hex StringttpWebResp74747057656252657370
Hex Stringonse6f6e7365
Hex StringGetResp47657452657370
Hex StringDispo446973706f
Hex StringCrea43726561
Hex StringmpilerGeneratedAtt6d70696c657247656e657261746564417474
Hex Stringribute726962757465
Hex StringGuidA4775696441
Hex Stringttribute7474726962757465
Hex StringDebuggab4465627567676162
Hex StringComVis436f6d566973
Hex StringibleAttrib69626c65417474726962
Hex StringAssem417373656d
Hex StringblyTitleAttribut626c795469746c654174747269627574
Hex StringAssemblyTrad417373656d626c7954726164
Hex StringemarkAttrib656d61726b417474726962
Hex StringTargetFrameworkA5461726765744672616d65776f726b41
Hex Stringttrib7474726962
Hex StringSuppressIldasmA5375707072657373496c6461736d41
Hex Stringttribu747472696275
Hex StringAssemblyFileVersio417373656d626c7946696c6556657273696f
Hex StringnAtt6e417474
Hex Stringbute62757465
Hex StringAssemblyConfi417373656d626c79436f6e6669
Hex Stringgurat6775726174
Hex StringAttribute417474726962757465
Hex StringAsse41737365
Hex StringmblyDesc6d626c7944657363
Hex Stringriptio72697074696f
Hex StringnAttribute6e417474726962757465
Hex StringCompil436f6d70696c
Hex StringionRe696f6e5265
Hex StringlaxationsAttribute6c61786174696f6e73417474726962757465
Hex StringssemblyPr7373656d626c795072
Hex StringoductAttribute6f64756374417474726962757465
Hex StringssemblyCopyrig7373656d626c79436f7079726967
Hex StringhtAttribute6874417474726962757465
Hex StringAssemblyCompanyAtt417373656d626c79436f6d70616e79417474
Hex StringRuntimeCompatib52756e74696d65436f6d7061746962
Hex StringilityAttr696c69747941747472
Hex Stringset_UseShe7365745f557365536865
Hex StringllExecute6c6c45786563757465
Hex StringByte42797465
Hex StringSetVa5365745661
Hex StringConsoleA436f6e736f6c6541
Hex StringSystem.T53797374656d2e54
Hex Stringhreading6872656164696e67
Hex Stringt_Paddi745f5061646469
Hex StringEncodi456e636f6469
Hex String.Runtime.V2e52756e74696d652e56
Hex Stringersioning657273696f6e696e67
Hex Stringe64String653634537472696e67
Hex StringString537472696e67
Hex Stringpute70757465
Hex StringHash48617368
Hex StringTransformFinal5472616e73666f726d46696e616c
Hex StringGetRespo476574526573706f
Hex StringnseStream6e736553747265616d
Hex StringStream53747265616d
Hex Stringstem7374656d
Hex StringSymmet53796d6d6574
Hex StringcAlgo63416c676f
Hex Stringrithm726974686d
Hex StringhAlgorithm68416c676f726974686d
Hex StringICryptoTra4943727970746f547261
Hex Stringnsform6e73666f726d
Hex Stringtem.R74656d2e52
Hex Stringlection6c656374696f6e
Hex StringpyTo7079546f
Hex Stringset_St7365745f5374
Hex StringProcessStartI50726f63657373537461727449
Hex StringMD5Cryp4d443543727970
Hex StringtoServic746f536572766963
Hex Stringovider6f7669646572
Hex StringTrip54726970
Hex StringleDESCrypto6c6544455343727970746f
Hex StringServi5365727669
Hex StringceProvider636550726f7669646572
Hex StringrentUs72656e745573
Hex StringStrea5374726561
Hex StringmWriter6d577269746572
Hex StringTextW5465787457
Hex Stringrite72697465
Hex StringateDecr61746544656372
Hex StringSystem.Diagnos53797374656d2e446961676e6f73
Hex Stringtics74696373
Hex Stringem.Runtime.InteropSe656d2e52756e74696d652e496e7465726f70536572
Hex Stringtem.Runtime.Comp74656d2e52756e74696d652e436f6d70
Hex StringrServices725365727669636573
Hex StringDebugg446562756767
Hex StringingMod696e674d6f64
Hex StringWriteAllBy5772697465416c6c4279
Hex StringtBytes744279746573
Hex StringRunt52756e74
Hex StringimeHelpers696d6548656c70657273
Hex Stringocess6f63657373
Hex String_Arguments5f417267756d656e7473
Hex Stringject6a656374
Hex StringSyste5379737465
Hex Stringm.Net6d2e4e6574
Hex Stringnvert6e76657274
Hex StringHttpWebRequ4874747057656252657175
Hex Stringget_Sta6765745f537461
Hex StringndardInput6e64617264496e707574
Hex String_Red5f526564
Hex Stringirect6972656374
Hex StringStandardInput5374616e64617264496e707574
Hex Stringset_CreateNoWi7365745f4372656174654e6f5769
Hex Stringndow6e646f77
Hex StringInitial496e697469616c
Hex StringizeArray697a654172726179
Hex StringToArr546f417272
Hex Stringet_K65745f4b
Hex StringnSubKey6e5375624b6579
Hex StringRegis5265676973
Hex StringyKey794b6579
Hex StringSystem.Securit53797374656d2e53656375726974
Hex Stringy.Cryp792e43727970
Hex Stringtograp746f67726170
Hex StringRegi52656769
Hex Stringstry73747279
Hex StringeImplementationDeta65496d706c656d656e746174696f6e44657461
Hex String221C222-8815-40CB-85323231433232322d383831352d343043422d3835
Hex StringAE-F441452d4634
Hex String075630373536
Hex StringpNonExceptionT704e6f6e457863657074696f6e54
Hex StringAutode4175746f6465
Hex StringCopyr436f707972
Hex Stringight 2014696768742032303134
Hex String9e93-c396539332d63
Hex Stringa58f61353866
Hex Stringa4dea6561346465613635
Hex String5.10352e3130
Hex String.12.2e31322e
Hex String121631323136
Hex Stringersi65727369
Hex StringFrame4672616d65
Hex Stringwork776f726b
Hex StringDisplayNa446973706c61794e61
Hex String.NET Fr2e4e4554204672
Hex Stringamewor616d65776f72
Hex String_CorEx5f436f724578
Hex StringeMain654d61696e
Hex Stringoree6f726565
Hex String.dll2e646c6c
Hex Stringversio76657273696f
Hex String enco20656e636f
Hex Stringstand7374616e64
Hex Stringsemb73656d62
Hex Stringschemas736368656d6173
Hex String-micros2d6d6963726f73
Hex StringnifestVers6e696665737456657273
Hex StringassemblyIdentity v617373656d626c794964656e746974792076
Hex String.0.02e302e30
Hex Stringpplica70706c696361
Hex Stringtion.74696f6e2e
Hex StringtInfo74496e666f
Hex Stringmas-micro6d61732d6d6963726f
Hex Stringsoft-c736f66742d63
Hex Stringecurit656375726974
Hex String20202020
Hex Stringhemas-microsoft-co68656d61732d6d6963726f736f66742d636f
Hex StringecutionLevel l65637574696f6e4c6576656c206c
Hex Stringoker6f6b6572
Hex String292_2.exe3239325f322e657865
Hex StringScrip5363726970
Hex Stringting.FileSystemObjec74696e672e46696c6553797374656d4f626a656374
Hex StringShell.Applicati5368656c6c2e4170706c6963617469 69
Hex Stringb.dll622e646c6c
Hex Stringcannot be63616e6e6f74206265
Hex String run2072756e20
Hex Stringin DOS mode.696e20444f53206d6f64652e
SuspiciousEnvironMay read system environment variables
SuspiciousEnvironmentMay read system environment variables
SuspiciousopenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
SuspiciousShellExecuteMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousShellMay run an executable file or a system
SuspiciousrunMay run an executable file or a system
SuspiciousWindowsMay enumerate application windows (if combined with Shell.Application object)
SuspiciousSystemMay run an executable file or a system command on a Mac (if combined with
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
MiscreantPunch.EXEInsideOfDoc.ASASCII.1.UNOFFICIAL
Create hunting rule

MiscreantPunch.AOEXEPRIMEEXEDEC.180205.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.200225.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..DLL.200225.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROHeadGames.20200320.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROKissFromARose.M2.20201210.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD._THISSPCEPROGRAM.210413.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.211019.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-14.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.PKILLPshellLastRun.M2.20210803.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROgraphicMemory.20211221.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.StrEncoderMetropolis.20220413.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %temp% directory
DNS request
Unauthorized injection to a recently created process
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive language-ru macros macros-on-close macros-on-open obfuscated
Link:
https://www.filescan.io/uploads/6598504ad5ababc925664c7a/reports/81a36267-9257-44c7-967c-225327deae17/overview
Verdict:
Malicious
Labled as:
GT:VB.Macros.Corona.4
Link:
https://www.hybrid-analysis.com/sample/4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c
Label:
Benign
Suspicious Score:
4.4/10
Score Malicious:
44%
Score Benign:
56%
Link:
https://www.malware.ai/gui/files/?id=b2a01199-80a4-44ec-b3ac-d3b68dd66556
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
InQuest Machine Learning
An InQuest machine-learning model classified this macro as potentially malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370550
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded VBA with hexadecimal encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Behaviour
Behavior Graph:
Download SVG
Score:
0%
Verdict:
Benign
File Type:
DOC
Link:
https://malprob.io/report/4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c/
Threat name:
Document-Word.Trojan.MacrosCorona
Create hunting rule
Status:
Malicious
First seen:
2024-01-05 16:49:00 UTC
File Type:
Document
Extracted files:
21
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifiis2x4bjornmcw6b6jhzarffdkyoa3xufuyvfewt77npiugmoa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/240105-xfrg3shhd3/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Office_AutoOpen_Macro
Create hunting rule
Author:Florian Roth
Description:Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule name:Office_AutoOpen_Macro
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

Word file doc 4150896afc0a5d16b056f07c93e4112946ac381bbd0b4c54a4b4fff6bd14331c

(this sample)

AgentTesla

Executable exe e872ec40a4c2ca42b1330b6b6332ac44705ec697432c901aa39e93edb7765531

  
X
https://twitter.com/souiten/status/1743200919645458676?t=tAFZ3kxo_rLsL64N_mqlvg&s=19
  
Dropping
SHA256 e872ec40a4c2ca42b1330b6b6332ac44705ec697432c901aa39e93edb7765531
  
Dropping
MD5 1fdbaa62726697f1696c3acf90d95de4

Comments