MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b
SHA3-384 hash: 14ce022eec8eb873ab44b025ddfd560fdf886628b3ec2dfaa74a0a8f7dc66366f79885102ee27b12a891dfd8d44c4603
SHA1 hash: 5d15b2bdace35719afdbe84cf9419eaa9f0713a4
MD5 hash: f3f82be036f861d4765d1c74c18ded02
humanhash: tennessee-video-purple-failed
File name:scan20210805122905.ppam
Download: download sample
Signature AgentTesla
Create hunting rule
File size:10'632 bytes
First seen:2021-08-10 11:54:23 UTC
Last seen:Never
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 192:xrXP/0uG8tfsCuNxEOmfZIZEzi9p6meAfP8Pskv/BG9c0D/:dXPu8RsCuNi5fZIEO99ezvR2
TLSH T1FD22BFC49223B056E7E29C3C695129DFF33F8564AE3B18D718507A8CCB53586270E41F
Reporter lowmal3
Tags:AgentTesla ppam

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Obfus-167.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PSEncode.171003.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.200225.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.200302.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.HTTPS
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b/results/dashboard
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
EXE String Concatenation
Macro contains a possibly obfuscated reference to an executable.
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830109
Signature
.NET source code contains very large array initializations
Connects to a pastebin service (likely for C&C)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Document exploit detected (process start blacklist hit)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Process Start Without DLL
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462540 Sample: scan20210805122905.ppam Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 66 www.google.com 2->66 68 www.blogger.com 2->68 70 6 other IPs or domains 2->70 102 Multi AV Scanner detection for submitted file 2->102 104 Yara detected AgentTesla 2->104 106 Yara detected AgentTesla 2->106 108 9 other signatures 2->108 11 POWERPNT.EXE 501 28 2->11         started        14 powershell.exe 2->14         started        18 mshta.exe 24 2->18         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 64 C:\Users\user\...\~$scan20210805122905.ppam, data 11->64 dropped 22 powershell.exe 9 11->22         started        88 paste.ee 104.26.5.223, 443, 49737, 49770 CLOUDFLARENETUS United States 14->88 128 Writes to foreign memory regions 14->128 130 Injects a PE file into a foreign processes 14->130 24 RegAsm.exe 14->24         started        28 conhost.exe 14->28         started        90 www.google.com 18->90 92 www.blogger.com 18->92 98 6 other IPs or domains 18->98 132 Writes or reads registry keys via WMI 18->132 134 Writes registry values via WMI 18->134 30 powershell.exe 18->30         started        94 gstaticadssl.l.google.com 142.250.184.227, 443, 49744 GOOGLEUS United States 20->94 96 www.google.com 20->96 100 30 other IPs or domains 20->100 32 conhost.exe 20->32         started        34 RegAsm.exe 20->34         started        36 RegAsm.exe 20->36         started        file6 signatures7 process8 dnsIp9 38 cmd.exe 1 22->38         started        40 conhost.exe 22->40         started        80 login.hosting-webmailsending.art 172.67.174.177, 49760, 49768, 49794 CLOUDFLARENETUS United States 24->80 118 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->118 120 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->120 122 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 24->122 82 172.67.68.88, 443, 49751, 49793 CLOUDFLARENETUS United States 30->82 84 paste.ee 30->84 124 Writes to foreign memory regions 30->124 126 Injects a PE file into a foreign processes 30->126 42 RegAsm.exe 30->42         started        45 conhost.exe 30->45         started        47 RegAsm.exe 30->47         started        49 RegAsm.exe 30->49         started        signatures10 process11 dnsIp12 51 mshta.exe 41 38->51         started        86 login.hosting-webmailsending.art 42->86 process13 dnsIp14 72 blogspot.l.googleusercontent.com 142.250.184.193, 443, 49721, 49732 GOOGLEUS United States 51->72 74 www.google.com 142.250.185.196, 443, 49729, 49742 GOOGLEUS United States 51->74 76 10 other IPs or domains 51->76 110 Uses schtasks.exe or at.exe to add and modify task schedules 51->110 112 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 51->112 114 Writes or reads registry keys via WMI 51->114 116 Writes registry values via WMI 51->116 55 powershell.exe 14 14 51->55         started        58 schtasks.exe 1 51->58         started        signatures15 process16 dnsIp17 78 paste.ee 55->78 60 conhost.exe 55->60         started        62 conhost.exe 58->62         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 11:41:30 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rucw4do6ag6fhxpwpnlvkvsevyam66feida2lazlnbn7jcujyvvq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210810-bxthd6vegj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Malware Config
C2 Extraction:
http://login.hosting-webmailsending.art/we/webpanel-blessed/inc/07716175f91fc1.php
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8d056e0dde01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

PowerPoint file ppam 8d056e0dde01bc53ddf67b57555644ae00cf78a440c1a5832b685bf48a89c56b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments