MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6
SHA3-384 hash: dae90931a697fdb266bda4dff2e2a026b239dc95b62c353977f71565ee24c6495b7b10ba786acebdd0d11ba0ff4c6ce8
SHA1 hash: 60a9d3e1c911e3629c1eea2aded6ecd11114708e
MD5 hash: 18c9430104b98acad9376d348723cbcb
humanhash: tennis-aspen-timing-california
File name:Request for Quotation76584454.ppt
Download: download sample
Signature AgentTesla
Create hunting rule
File size:317'440 bytes
First seen:2021-02-16 08:42:52 UTC
Last seen:Never
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 3072:X4oyxnPCG4MObyxgHcB6FnisvlThYzF8+:X4za+H0nxvlTOe+
TLSH B2644F45B506C21EC26409369C5BDFFB7338BE08DC65871732AA377E2D7AB18A741B90
Reporter lowmal3

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Doc.Macro.MaliciousHeuristic-6298845-0
Create hunting rule

TwinWave.EvilDoc.EvilMrFantasyIceIsNiceEdition.20200806.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.SRDEPICO2CS.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6/results/dashboard
Result
Verdict:
UNKNOWN
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608732
Signature
Connects to a URL shortener service
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 353396 Sample: Request for Quotation76584454.ppt Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 50 www.blogger.com 2->50 52 startthepartyup.blogspot.com 2->52 54 8 other IPs or domains 2->54 74 Yara detected AgentTesla 2->74 76 Sigma detected: Powershell execute code from registry 2->76 78 Sigma detected: Schedule script from internet via mshta 2->78 80 10 other signatures 2->80 10 cmd.exe 1 2->10         started        12 taskeng.exe 1 2->12         started        14 POWERPNT.EXE 501 3 2->14         started        16 mshta.exe 2->16         started        signatures3 process4 process5 18 POWERPNT.EXE 10 12 10->18         started        21 mshta.exe 10 12->21         started        signatures6 72 Document exploit detected (process start blacklist hit) 18->72 23 mshta.exe 11 32 18->23         started        27 PING.EXE 18->27         started        29 PING.EXE 18->29         started        33 6 other processes 18->33 31 mshta.exe 21 21->31         started        process7 dnsIp8 62 j.mp 67.199.248.16, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 23->62 64 blogspot.l.googleusercontent.com 216.58.208.161, 443, 49166, 49175 GOOGLEUS United States 23->64 70 3 other IPs or domains 23->70 82 Creates autostart registry keys with suspicious values (likely registry only malware) 23->82 84 Creates multiple autostart registry keys 23->84 86 Creates an autostart registry key pointing to binary in C:\Windows 23->86 88 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 23->88 35 powershell.exe 12 7 23->35         started        38 cmd.exe 23->38         started        40 schtasks.exe 23->40         started        42 powershell.exe 27->42         started        66 www.blogger.com 31->66 68 randikhanaekminar.blogspot.com 31->68 44 powershell.exe 31->44         started        signatures9 process10 dnsIp11 56 ia801400.us.archive.org 207.241.228.140, 443, 49177, 49187 INTERNET-ARCHIVEUS United States 35->56 58 linkpc.net 67.214.175.69, 49176, 49186, 49191 CUSTOMDOTNETUS United States 35->58 46 taskkill.exe 38->46         started        48 taskkill.exe 38->48         started        60 onedrive.linkpc.net 192.254.74.210, 49185, 80 BIGBRAINUS United States 44->60 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6/
Threat name:
Script-Macro.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 08:43:05 UTC
AV detection:
7 of 48 (14.58%)
Threat level:
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro xlm
Link:
https://tria.ge/reports/210216-z2vbdpx9fn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

PowerPoint file ppt 818f304883e566aa5cce96bda31d28239ade1164518f38377d6f4d80d449bae6

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments