MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 691f6b49c798c9680c7794f16083284f1288fb89ac8f1f41cffabfb571557fa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 691f6b49c798c9680c7794f16083284f1288fb89ac8f1f41cffabfb571557fa7
SHA3-384 hash: 98284aa062b1928320c2da223b5e92327fd267d70574b8928bb0e20d650db40dbccf74526d7911b936c2a64eac438b5a
SHA1 hash: 4dcd6095e71acc04b7a1bd9ce69a3ac250cc7c8b
MD5 hash: 7c421ee1b8bbb76ac3b551e6c22a0988
humanhash: oxygen-nevada-muppet-seventeen
File name:scan 081421.ppam
Download: download sample
Signature AgentTesla
Create hunting rule
File size:10'600 bytes
First seen:2021-08-11 06:10:57 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 192:xrXP/98s0NJ5ReM91JhhY0Q2plOjIrv6QkCFrI9Fxcvt5+b:dXP2NJ5Rek1JhXQ2u8rv6QnIRc1m
TLSH T1D522BF07F9FD9A0DDBD8833CD2383C7EA968D423796B759B19C472814854EC2498F05E
Reporter abuse_ch
Tags:AgentTesla ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-167.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PSEncode.171003.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.200225.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.200302.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.HTTPS
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/691f6b49c798c9680c7794f16083284f1288fb89ac8f1f41cffabfb571557fa7/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/691f6b49c798c9680c7794f16083284f1288fb89ac8f1f41cffabfb571557fa7
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
EXE String Concatenation
Macro contains a possibly obfuscated reference to an executable.
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830635
Signature
.NET source code contains very large array initializations
Connects to a pastebin service (likely for C&C)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Document exploit detected (process start blacklist hit)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Process Start Without DLL
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463063 Sample: scan 081421.ppam Startdate: 11/08/2021 Architecture: WINDOWS Score: 100 71 www.google.com 2->71 73 www.blogger.com 2->73 75 6 other IPs or domains 2->75 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected AgentTesla 2->111 113 Yara detected AgentTesla 2->113 115 9 other signatures 2->115 11 POWERPNT.EXE 501 27 2->11         started        14 powershell.exe 2->14         started        18 mshta.exe 29 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 61 C:\Users\user\Desktop\~$scan 081421.ppam, data 11->61 dropped 63 C:\Users\user\...\scan 081421.ppam.LNK, MS 11->63 dropped 22 powershell.exe 9 11->22         started        87 paste.ee 104.26.5.223, 443, 49746, 49771 CLOUDFLARENETUS United States 14->87 127 Writes to foreign memory regions 14->127 129 Injects a PE file into a foreign processes 14->129 24 RegAsm.exe 14->24         started        28 conhost.exe 14->28         started        89 www.google.com 18->89 91 www.blogger.com 18->91 97 5 other IPs or domains 18->97 131 Writes or reads registry keys via WMI 18->131 133 Writes registry values via WMI 18->133 30 powershell.exe 18->30         started        93 192.168.2.1 unknown unknown 20->93 95 www.google.com 20->95 99 34 other IPs or domains 20->99 32 conhost.exe 20->32         started        34 RegAsm.exe 20->34         started        file6 signatures7 process8 dnsIp9 36 cmd.exe 1 22->36         started        38 conhost.exe 22->38         started        79 104.21.88.90, 49784, 49785, 49787 CLOUDFLARENETUS United States 24->79 81 login.hosting-webmailsending.art 172.67.174.177, 49772, 49773, 49774 CLOUDFLARENETUS United States 24->81 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->117 119 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->119 121 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 24->121 83 172.67.68.88, 443, 49756 CLOUDFLARENETUS United States 30->83 85 paste.ee 30->85 123 Writes to foreign memory regions 30->123 125 Injects a PE file into a foreign processes 30->125 40 conhost.exe 30->40         started        42 RegAsm.exe 30->42         started        44 RegAsm.exe 30->44         started        46 3 other processes 30->46 signatures10 process11 process12 48 mshta.exe 2 59 36->48         started        dnsIp13 65 blogspot.l.googleusercontent.com 142.250.184.193, 443, 49730, 49740 GOOGLEUS United States 48->65 67 gstaticadssl.l.google.com 142.250.184.227, 443, 49739 GOOGLEUS United States 48->67 69 9 other IPs or domains 48->69 101 Uses schtasks.exe or at.exe to add and modify task schedules 48->101 103 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 48->103 105 Writes or reads registry keys via WMI 48->105 107 Writes registry values via WMI 48->107 52 powershell.exe 14 14 48->52         started        55 schtasks.exe 1 48->55         started        signatures14 process15 dnsIp16 77 paste.ee 52->77 57 conhost.exe 52->57         started        59 conhost.exe 55->59         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/691f6b49c798c9680c7794f16083284f1288fb89ac8f1f41cffabfb571557fa7/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 19:42:28 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nepwwsohtdewqddxstywbazij4jir64jvshr6qop7k73k4kvp6tq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210811-a9f71s8dgj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Malware Config
C2 Extraction:
http://login.hosting-webmailsending.art/we/webpanel-black/inc/0c5276e3887ef1.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/691f6b49c798c9680c7794f16083284f1288fb89ac8f1f41cffabfb571557fa7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments