MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments

SHA256 hash: 831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c
SHA3-384 hash: 34a73d798d249398bd2d6eb65c830d2067675ab410fcedb1a8f9b48a85a4ddb1894ea6eee4796bf7fbea00dc4ca095fb
SHA1 hash: da919b490b8192eab7c577b4a85337d09eb56a9e
MD5 hash: d0cd467a481799f5dc06a498e24ff4ad
humanhash: four-sweet-pasta-texas
File name:Contract - Wipak Oy.xlsx
Download: download sample
Signature AgentTesla
File size:2'819'080 bytes
First seen:2022-08-05 09:29:51 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 49152:4yFhEeXk7Vs4O7VhPiiw176tK5fpiB+VkAT5H0T9DpZvlfp+INtJz:4uXmijhhPDwNgiBiBuTG1lx+IN3
TLSH T1DCD53396C4F0AB688E9F1585EEAF7840472FBAC1E1DF8496D054047C37AB19DF222D4E
TrID 60.1% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
30.9% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.0% (.ZIP) ZIP compressed archive (4000/1)
1.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter @TeamDreier
Tags:AgentTesla xlsx

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump
Sections: 3

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
A13008016 bytesoLE10nATivE
A20 bytesvd4Gf9eRaIg9JoI2jb8EGtk

Intelligence


File Origin
# of uploads :
1
# of downloads :
254
Origin country :
DK DK
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
Contract - Wipak Oy.xlsx
Verdict:
Malicious activity
Analysis date:
2022-08-05 09:31:03 UTC
Tags:
opendir exploit CVE-2017-11882 loader agenttesla

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
DNS request
Creating a file in the %AppData% directory
–°reating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request by exploiting the app vulnerability
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Alert level:
70%
Payload URLs
URL
File name
https://pkusukoharjo.com/giving/qGTGx.exe
dbSYXB9S.Pu6cL
Document image
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit
Label:
Malicious
Suspicious Score:
  9.8/10
Score Malicious:
98%
Score Benign:
2%
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: File Dropped By EQNEDT32EXE
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679189 Sample: Contract - Wipak Oy.xlsx Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 11 other signatures 2->49 8 EQNEDT32.EXE 11 2->8         started        13 EXCEL.EXE 7 10 2->13         started        process3 dnsIp4 29 pkusukoharjo.com 136.243.86.20, 443, 49171 HETZNER-ASDE Germany 8->29 23 jhghyftvgyjhjhgjhj...gfrtreaebvcnbnc.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\Local\...\qGTGx[1].exe, PE32 8->25 dropped 51 Office equation editor establishes network connection 8->51 53 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->53 15 jhghyftvgyjhjhgjhjhggfresewdxrcnvfhgfhggfrtreaebvcnbnc.exe 12 8->15         started        27 C:\Users\user\...\~$Contract - Wipak Oy.xlsx, data 13->27 dropped file5 signatures6 process7 dnsIp8 31 cdn.discordapp.com 162.159.129.233, 443, 49172 CLOUDFLARENETUS United States 15->31 33 109.206.241.81, 49173, 80 AWMLTNL Germany 15->33 35 Machine Learning detection for dropped file 15->35 37 Writes to foreign memory regions 15->37 39 Allocates memory in foreign processes 15->39 41 Injects a PE file into a foreign processes 15->41 19 powershell_ise.exe 2 15->19         started        signatures9 process10 process11 21 dw20.exe 4 19->21         started       
Threat name:
Document-Office.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2022-08-04 12:37:28 UTC
File Type:
Document
Extracted files:
19
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Blocklisted process makes network request
Malware family:
AgentTesla
Verdict:
Malicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsx 831518fee7137eb607ad0fd8b629784dd692f981f6060465079945a13dba6c4c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments