MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 11


Maldoc score: 13


Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash: 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d
SHA3-384 hash: 1bedaef918069119f5a741d5de52bf8d026ec685b67dd3e45a2f8430316cbbe574c9eb832f8ca4809b9e7d3bdf68df8d
SHA1 hash: f2dbad3686195f07db9bac1aa7eba45120069ded
MD5 hash: 18d6c58d438aa199c43cec6503ae2a6c
humanhash: shade-red-seventeen-speaker
File name:Marine Tiger.xlsm
Download: download sample
Signature AgentTesla
File size:13'677 bytes
First seen:2021-02-08 07:11:28 UTC
Last seen:Never
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 192:HePPN4twKo8V99pSKCxW9KBIYU0mT2+QOUSp+Qak1Y5t0SQxizT3W7+p+1iTvVp+:HeHNSVV9GKCZBILhTBY4D9SQITMaT2
TLSH 0D52AE5A82C37559EB27D83A41880B73F91570D49267CBBD2D08660A7B127EB47CA0CB
Reporter @abuse_ch
Tags:AgentTesla exe xlsm


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: oceantankers.com.sg
Sending IP: 45.137.20.42
From: Ocean Tankers Spore <operations@oceantankers.com.sg>
Reply-To: transmarinemalayssia@yahoo.com
Subject: Marine Tiger - AGENCY APPOINTMENT
Attachment: Marine Tiger.xlsm

AgentTesla payload URL:
http://unitranship.in/pWfS5sMI9kWirEK.exe

AgentTesla SMTP exfil server:
mail.devxico.com:587

AgentTesla SMTP exfil email address:
hgonzalez@devxico.com

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 13
OLE dump
Sections: 11

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
A1410 bytesPROJECT
A262 bytesPROJECTwm
A3991 bytesVBA/Sheet1
A43911 bytesVBA/ThisWorkbook
A52626 bytesVBA/_VBA_PROJECT
A61619 bytesVBA/__SRP_0
A7201 bytesVBA/__SRP_1
A8788 bytesVBA/__SRP_2
A9230 bytesVBA/__SRP_3
A10515 bytesVBA/dir
OLE vba
TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
102
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Marine Tiger.xlsm
Verdict:
Malicious activity
Analysis date:
2021-02-08 07:14:40 UTC
Tags:
macros macros-on-open generated-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Alert level:
9.0%
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
80 / 100
Signature
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Threat name:
Script-Macro.Trojan.Valyria
Status:
Malicious
First seen:
2021-02-08 02:23:25 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Process spawned unexpected child process

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_AgentTesla_20200929
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:MALWARE_Win_AgentTeslaV3
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_agent_tesla_v1
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments