MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28
SHA3-384 hash: f043a299fb7fc2002a3860c388b49d7ea82d7dfdd8c0975ef5dea928686564b8cc32144549f228d38c041268e24625ea
SHA1 hash: 90d89c9f5aaaae4c067f179651066303bc83f452
MD5 hash: 3471cb088d588150df6e37e2200afbf9
humanhash: south-avocado-ceiling-alaska
File name:PO-20102021,pdf.ppam
Download: download sample
Signature AgentTesla
Create hunting rule
File size:8'541 bytes
First seen:2021-10-20 06:37:39 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 192:q7XHPzYef2EB66JixrvfWNn8xX8Q1/MsBY2GFzOciQYX80qTQY8:qLP0cB66Jkrvfkn8xXnEsBiROcoM/8
TLSH T1FE02AF95E9451B59D74558FE86963F5B3884E28238F8EF0561903FC306622E1AA7328F
Reporter abuse_ch
Tags:AgentTesla ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28/results/dashboard
Payload URLs
URL
File name
https://www.bitly.com/wdowdpowdrufhjwijjd
kaoskdaoskdoaksda.b
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/616fb950a9d585e6d52e592f/reports/6e90206c-c58d-4325-bd6c-7d163dfac46c/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873610
Signature
Command shell drops VBS files
Compiles code for process injection (via .Net compiler)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Windows Shell Script Host drops VBS files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 506037 Sample: PO-20102021,pdf.ppam Startdate: 20/10/2021 Architecture: WINDOWS Score: 100 84 www.google.com 2->84 86 www-google-analytics.l.google.com 2->86 88 4 other IPs or domains 2->88 120 Multi AV Scanner detection for submitted file 2->120 122 Machine Learning detection for sample 2->122 124 Sigma detected: Mshta Spawning Windows Shell 2->124 126 6 other signatures 2->126 9 POWERPNT.EXE 502 33 2->9         started        12 mshta.exe 2->12         started        16 mshta.exe 1 23 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 74 C:\Users\user\...\~$PO-20102021,pdf.ppam, data 9->74 dropped 76 C:\Users\user\...\PO-20102021,pdf.ppam.LNK, MS 9->76 dropped 20 mshta.exe 6 55 9->20         started        106 www.google.com 12->106 114 6 other IPs or domains 12->114 144 Very long command line found 12->144 24 cmd.exe 12->24         started        108 216.58.212.142, 443, 49820, 49828 GOOGLEUS United States 16->108 110 www.google.com 16->110 116 6 other IPs or domains 16->116 146 Creates processes via WMI 16->146 26 taskkill.exe 16->26         started        28 taskkill.exe 16->28         started        30 taskkill.exe 16->30         started        37 11 other processes 16->37 112 www.google.com 18->112 118 26 other IPs or domains 18->118 32 cmd.exe 18->32         started        35 conhost.exe 18->35         started        39 2 other processes 18->39 file6 signatures7 process8 dnsIp9 90 gstaticadssl.l.google.com 142.250.185.195, 443, 49772, 49777 GOOGLEUS United States 20->90 92 www.google.com 142.250.203.100, 443, 49768, 49792 GOOGLEUS United States 20->92 94 11 other IPs or domains 20->94 128 Creates autostart registry keys with suspicious values (likely registry only malware) 20->128 130 Creates multiple autostart registry keys 20->130 132 Creates an autostart registry key pointing to binary in C:\Windows 20->132 136 2 other signatures 20->136 41 powershell.exe 15 8 20->41         started        46 taskkill.exe 1 20->46         started        60 2 other processes 20->60 134 Command shell drops VBS files 24->134 48 wscript.exe 24->48         started        50 conhost.exe 24->50         started        52 conhost.exe 26->52         started        54 conhost.exe 28->54         started        56 conhost.exe 30->56         started        72 C:\Users\Public\hulalalMCROSOFT.vbs, ASCII 32->72 dropped 58 conhost.exe 37->58         started        file10 signatures11 process12 dnsIp13 96 gcp.media-router.wixstatic.com 34.102.176.152, 443, 49815, 49817 GOOGLEUS United States 41->96 98 media-router.wixstatic.com 41->98 100 92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com 41->100 78 C:\Users\user\AppData\Local\...\hcjaguva.0.cs, C++ 41->78 dropped 138 Compiles code for process injection (via .Net compiler) 41->138 62 conhost.exe 41->62         started        64 conhost.exe 46->64         started        102 media-router.wixstatic.com 48->102 104 deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com 48->104 80 C:\Users\Public\yyyy1.vbs, data 48->80 dropped 82 C:\Users\Public\xxx1.txt, ASCII 48->82 dropped 140 System process connects to network (likely due to code injection or exploit) 48->140 142 Windows Shell Script Host drops VBS files 48->142 66 wscript.exe 48->66         started        68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28/
Threat name:
Script.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-10-19 23:35:00 UTC
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2r6hpr3mnrg3ycgmioui4id4cly6wze2ppa6qjcgdwwyk75nyua._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211020-hd31rsgfg4/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/66a3e3be3b63626de046621d447103e0978f5b24d3de0f412230ed6c2bfd6e28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments