MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c
SHA3-384 hash:	31e911c9936ff341df23a77f7a2cec6ecff913efe8df78c877c3b5ddf2265c75fdcbdb35087e1b4540d51d5450315434
SHA1 hash:	c7598b9660972a56e50a48931608861140ffcef6
MD5 hash:	73ff85a7903a5bc43da5db3de9f85714
humanhash:	nine-five-august-kilo
File name:	quotation.doc
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	3'944 bytes
First seen:	2024-05-10 11:00:22 UTC
Last seen:	Never
File type:	doc
MIME type:	text/rtf
ssdeep	96:qbjNanHXAKrjZiEStwVS9bZVBIxAPk/B9UM/qRsM6MUHlR:qbZuwAcESIS9fS/PUMCRn637
TLSH	T1F0813A75A7881563D5AF82A7912C3FAE01EBF37919C81CD2D399FA72090F1906743A41
Reporter	lowmal3
Tags:	CVE-2017-11882 doc

Intelligence

File Origin

# of uploads :

# of downloads :

379

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c.doc

Verdict:

Suspicious activity

Analysis date:

2024-05-10 11:01:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3a7d422a-c05c-4eb5-b470-6d3a970c2e90

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Shelter.Malware.BadRtf.ObjUpd.UNOFFICIAL

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

Creating a window

DNS request

Sending an HTTP GET request

Creating a file in the %AppData% directory

Running batch commands

Creating a process with a hidden window

Connection attempt by exploiting the app vulnerability

Creating a process from a recently created file

Result

Verdict:

Malicious

File Type:

Fake RTF File

Link:

https://app.docguard.net/54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

exploit

Link:

https://www.filescan.io/uploads/663dfe7ddf07636df8d3aa78/reports/800f426b-928c-4175-80a3-fd21b9a979cf/overview

Verdict:

Malicious

Labled as:

CVE-2018-0798

Link:

https://www.hybrid-analysis.com/sample/54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c

Gathering data

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1439546

Signature

Antivirus detection for URL or domain

Document exploit detected (process start blacklist hit)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Office equation editor drops PE file

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: Equation Editor Network Connection

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Suspicious Binary In User Directory Spawned From Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Behaviour

Behavior Graph:

Download SVG

Score:

90%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c

Detection:

cve-2017-11882-shellcode

Link:

https://mwdb.cert.pl/sample/54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c/

Threat name:

Document-RTF.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2024-05-10 08:17:33 UTC

File Type:

Document

Extracted files:

AV detection:

19 of 36 (52.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=krme4vx4rmx5omm5ubpmyngke4oeor32hnvkte274gutrfvwgjga._file

Result

Malware family:

privateloader

Score:

10/10

Tags:

family:privateloader loader

Link:

https://tria.ge/reports/240510-m4jf9sdh85/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Launches Equation Editor

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

PrivateLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/54584e56fc8b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

doc 54584e56fc8b2fd7319da05ecc34ca271c47477a3b6aa9935fe1a93896b6324c

(this sample)

AgentTesla

exe 13bfd259e12305e8bed58c8d7f83a000163e276d71e999a322ee992f88447c78

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 13bfd259e12305e8bed58c8d7f83a000163e276d71e999a322ee992f88447c78

Dropping

MD5 4bdf82cd985a7a6cc911e8912d3783d6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample