MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Maldoc score: 11


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4
SHA3-384 hash: bead05ba077a9669703c0a45c96afb38859f17a7d2a8a803de7012f14fc68f209e11ad6e2e1b2ce45b6af322ff1b93cf
SHA1 hash: d97175eae8df0386c8b014724dbb8082a35334a8
MD5 hash: 356369b4a468d58329f19e49de0acea9
humanhash: mockingbird-leopard-asparagus-lake
File name:AWB783079370872.docm
Download: download sample
Signature AgentTesla
Create hunting rule
File size:87'122 bytes
First seen:2021-02-19 10:47:59 UTC
Last seen:Never
File type:Word file docm
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 1536:2kHUxLjAomjR0BwM9EwsSLYG9VcC8YNM0zB+EE+U:V8AomjsTRPZ1M0zBy+U
TLSH A483E5178D09CB47E56883F8FE070EAD679B5B5DE9823AFE11254DCF7E202511C8A06E
Reporter abuse_ch
Tags:AgentTesla docm FedEx


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: molly.firstinvestmentgroup.org
Sending IP: 91.200.102.245
From: Fedex Tracking <38969686@fedex.com>
Subject: AWB# - 783079370872
Attachment: AWB783079370872.docm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
OLE dump

MalwareBazaar was able to identify 6 sections in this file using oledump:

Section IDSection sizeSection name
A1369 bytesPROJECT
A241 bytesPROJECTwm
A316700 bytesVBA/ThisDocument
A42680 bytesVBA/_VBA_PROJECT
A5514 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
SuspiciousShellMay run an executable file or a system command
SuspiciousWscript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB783079370872.docm
Verdict:
Malicious activity
Analysis date:
2021-02-19 15:34:09 UTC
Tags:
macros macros-on-open generated-doc
Link:
https://app.any.run/tasks/e9691cde-bf54-44f5-8ef0-40f40aa2bec2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-word.document.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.StopCryingYourHeartOut.20210216.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.WhatItSoundsLikeWhenEncodersCry.20210216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Sending a custom TCP request
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Suspicious
File Type:
Word File with Macro
Link:
https://app.docguard.net/90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/612598
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355312 Sample: AWB783079370872.docm Startdate: 19/02/2021 Architecture: WINDOWS Score: 100 94 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->94 96 Machine Learning detection for sample 2->96 98 Document contains an embedded VBA with many string operations indicating source code obfuscation 2->98 100 9 other signatures 2->100 11 WINWORD.EXE 297 23 2->11         started        14 explorer.exe 2->14         started        16 explorer.exe 2->16         started        18 2 other processes 2->18 process3 signatures4 110 Document exploit detected (process start blacklist hit) 11->110 20 cmd.exe 11->20         started        112 Drops executables to the windows directory (C:\Windows) and starts them 14->112 23 svchost.exe 14->23         started        26 svchost.exe 16->26         started        process5 file6 102 Encrypted powershell cmdline option found 20->102 28 powershell.exe 16 9 20->28         started        70 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 23->70 dropped 72 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 23->72 dropped 104 System process connects to network (likely due to code injection or exploit) 23->104 74 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->74 dropped 76 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->76 dropped 106 Machine Learning detection for dropped file 26->106 108 Adds a directory exclusion to Windows Defender 26->108 33 AdvancedRun.exe 26->33         started        35 AdvancedRun.exe 26->35         started        37 powershell.exe 26->37         started        39 2 other processes 26->39 signatures7 process8 dnsIp9 88 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49168 DROPBOXUS United States 28->88 90 www-env.dropbox-dns.com 162.125.66.18, 443, 49167 DROPBOXUS United States 28->90 92 3 other IPs or domains 28->92 84 C:\Users\user\AppData\Roaming\kWZHj.exe, PE32 28->84 dropped 122 Powershell drops PE file 28->122 41 kWZHj.exe 19 8 28->41         started        46 AdvancedRun.exe 33->46         started        48 AdvancedRun.exe 35->48         started        file10 signatures11 process12 dnsIp13 86 192.236.147.189, 49169, 49170, 49171 HOSTWINDSUS United States 41->86 78 C:\Windows\Resources\Themes\...\svchost.exe, PE32 41->78 dropped 80 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 41->80 dropped 82 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 41->82 dropped 114 Machine Learning detection for dropped file 41->114 116 Creates an autostart registry key pointing to binary in C:\Windows 41->116 118 Adds a directory exclusion to Windows Defender 41->118 120 Drops PE files with benign system names 41->120 50 AdvancedRun.exe 1 41->50         started        52 AdvancedRun.exe 41->52         started        54 powershell.exe 7 41->54         started        56 2 other processes 41->56 file14 signatures15 process16 process17 58 AdvancedRun.exe 50->58         started        60 AdvancedRun.exe 50->60         started        62 powershell.exe 50->62         started        66 2 other processes 50->66 64 AdvancedRun.exe 52->64         started        process18 68 AdvancedRun.exe 58->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-19 10:48:11 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdlnek5tuf4ujkt47mebbnpxb7wo4dw3whci6jr33te33e7dilka._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion macro trojan
Link:
https://tria.ge/reports/210219-erf542tatn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Checks whether UAC is enabled
Windows security modification
Blocklisted process makes network request
Executes dropped EXE
Nirsoft
Process spawned unexpected child process
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
Dropper Extraction:
https://cutt.ly/ilwWBQL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file docm 90d6d22bb3a17944aa7cfb0810b5f70fecee0edbb1c48f263bdcc9bd93e342d4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments