MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 12


Maldoc score: 9


Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash: 9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7
SHA3-384 hash: 7fda788bc53d9cf86a5b0fed93b3330afb7f83ebb460b7b747d5a5f97ca05a2be929f1757be89f1237a961c75e40b000
SHA1 hash: 688ba6fb074142755fecd74056278b145a282f5a
MD5 hash: f7f66672f19f2dabe4f7269e32eb8540
humanhash: cold-virginia-winner-arkansas
File name:MV TRIADES.xlsm
Download: download sample
Signature AgentTesla
File size:430'221 bytes
First seen:2021-03-22 14:13:58 UTC
Last seen:2021-03-22 15:35:37 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:Y49w8fyunGthwu8kxPthZugvq4jzjSGUuiG:Y49b7AhFxPthZnvL3t/
TLSH AA94233BE3987E8FD6E3D97DD9058AE3231753CE3390BCB568588888061F16E81B4E55
Reporter @JAMESWT_MHT
Tags:AgentTesla

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump
Sections: 13

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
A1416 bytesPROJECT
A262 bytesPROJECTwm
A31180 bytesVBA/Sheet1
A433779 bytesVBA/ThisWorkbook
A52706 bytesVBA/_VBA_PROJECT
A62525 bytesVBA/__SRP_0
A7283 bytesVBA/__SRP_1
A8464 bytesVBA/__SRP_2
A9106 bytesVBA/__SRP_3
A1024047 bytesVBA/__SRP_4
A11244 bytesVBA/__SRP_5
A12516 bytesVBA/dir
OLE vba
TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
SuspiciousShellMay run an executable file or a system command
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousXorMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
2
# of downloads :
110
Origin country :
IT IT
Mail intelligence
Geo location:
Global
Volume:
High
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MV TRIADES.xlsm
Verdict:
Malicious activity
Analysis date:
2021-03-22 14:32:52 UTC
Tags:
macros macros-on-open loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Moving a recently created file
Running batch commands
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Creating a window
Creating a process with a hidden window
Launching a process
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process by context flags manipulation
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Suspicious
File Type:
Excel File with Macro
Alert level:
4.0%
Document image
Document image
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 372951 Sample: MV TRIADES.xlsm Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 9 other signatures 2->51 10 EXCEL.EXE 57 15 2->10         started        process3 file4 37 C:\Users\user\Desktop\~$MV TRIADES.xlsm, data 10->37 dropped 13 cmd.exe 10->13         started        process5 signatures6 71 Encrypted powershell cmdline option found 13->71 16 powershell.exe 12 7 13->16         started        process7 dnsIp8 39 specfloors.net 107.180.99.252, 49165, 80 AS-26496-GO-DADDY-COM-LLCUS United States 16->39 35 C:\Users\user\AppData\Roaming\tNDFx.exe, PE32 16->35 dropped 53 Powershell drops PE file 16->53 21 tNDFx.exe 12 8 16->21         started        file9 signatures10 process11 dnsIp12 41 liverpoolsupporters9.com 172.67.176.78, 49167, 80 CLOUDFLARENETUS United States 21->41 55 Multi AV Scanner detection for dropped file 21->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->59 61 3 other signatures 21->61 25 tNDFx.exe 2 21->25         started        29 cmd.exe 21->29         started        31 tNDFx.exe 21->31         started        signatures13 process14 dnsIp15 43 smtp.jiratane.com 198.54.116.63, 49168, 587 NAMECHEAP-NETUS United States 25->43 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->63 65 Tries to steal Mail credentials (via file access) 25->65 67 Tries to harvest and steal ftp login credentials 25->67 69 2 other signatures 25->69 33 timeout.exe 29->33         started        signatures16 process17
Threat name:
Script-Macro.Downloader.NetWired
Status:
Malicious
First seen:
2021-03-21 07:42:48 UTC
File Type:
Document
Extracted files:
29
AV detection:
20 of 47 (42.55%)
Threat level:
  3/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://specfloors.net/dev/income.exe

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments