MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Maldoc score: 4


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee
SHA3-384 hash: 29fbc1897654afd29191bdd6f873dc22af8095ecee6f2fc4ac05184ad741d73bc3c74b4782c84cdd93cc55b423bdc741
SHA1 hash: 1874c7f39450a9c22bb34def0ae67c694d9fcef8
MD5 hash: 83624f2a6f08d8f34c477f00542fc222
humanhash: orange-lion-oxygen-undress
File name:INV 66077.xls
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'061'888 bytes
First seen:2024-07-23 06:33:44 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:fhLccGPxD6yDCY6ff7/0GZy19GdR5OLouz7EGsFfUF:qcyxD6ON6n7MgVRILoWMFf4
TLSH T16F352324BA81D707D653C57409A6CA95832DFC12FF10E26B7A16772F273827995CBF08
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:AgentTesla cve-2017-0199 xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD0002FBF3/CompObj
5522248 bytesMBD0002FBF3/Package
6522 bytesMBD0002FBF4/Ole
7516172 bytesWorkbook
8525 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
342
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.93TilInfinity.20240412.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669f4eebb302ab76f44859e8
Tags:
Discovery Generic Infostealer Network Office Stealth W97m
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Creating a file
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee/results/dashboard
Payload URLs
URL
File name
http://nw.ax/8Kx
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
macros
Link:
https://www.filescan.io/uploads/669f4ee3a59c11b474ea3eec/reports/e7668694-8ca9-4b51-baac-406206daf31c/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1479166
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious Excel or Word document
Antivirus detection for dropped file
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479166 Sample: INV 66077.xls Startdate: 23/07/2024 Architecture: WINDOWS Score: 100 79 nw.ax 2->79 81 shortify.pro 2->81 101 Found malware configuration 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 Antivirus detection for URL or domain 2->105 107 21 other signatures 2->107 8 EXCEL.EXE 57 43 2->8         started        12 taskeng.exe 2->12         started        14 mpTrle.exe 2->14         started        17 mpTrle.exe 2->17         started        signatures3 process4 dnsIp5 93 nw.ax 172.67.157.179, 443, 49163, 49164 CLOUDFLARENETUS United States 8->93 95 198.46.174.139, 49165, 49178, 80 AS-COLOCROSSINGUS United States 8->95 69 C:\Users\user\Desktop\INV 66077.xls (copy), Composite 8->69 dropped 71 wethkingwearereall...standwearego[1].doc, Rich 8->71 dropped 19 winiti.exe 5 8->19         started        23 WINWORD.EXE 337 37 8->23         started        26 SFnyDQGfkqV.exe 12->26         started        149 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->149 151 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->151 153 Machine Learning detection for dropped file 14->153 28 mpTrle.exe 14->28         started        30 powershell.exe 14->30         started        32 schtasks.exe 14->32         started        155 Adds a directory exclusion to Windows Defender 17->155 157 Injects a PE file into a foreign processes 17->157 34 mpTrle.exe 17->34         started        36 powershell.exe 17->36         started        38 schtasks.exe 17->38         started        file6 signatures7 process8 dnsIp9 57 C:\Users\user\AppData\...\SFnyDQGfkqV.exe, PE32 19->57 dropped 59 C:\Users\user\AppData\Local\...\tmp92AF.tmp, XML 19->59 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->109 111 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->111 113 Machine Learning detection for dropped file 19->113 133 3 other signatures 19->133 40 winiti.exe 13 4 19->40         started        45 powershell.exe 4 19->45         started        47 schtasks.exe 19->47         started        83 nw.ax 23->83 85 104.21.14.38, 443, 49166, 49172 CLOUDFLARENETUS United States 23->85 91 2 other IPs or domains 23->91 61 C:\Users\user\AppData\Roaming\...\nw.ax.url, MS 23->61 dropped 63 C:\Users\user\AppData\Roaming\...\8Kx.url, MS 23->63 dropped 65 ~WRF{5230D750-6195...D-CCD90D83CE42}.tmp, Composite 23->65 dropped 67 C:\Users\user\AppData\Local\...\28833FB5.doc, Rich 23->67 dropped 115 Microsoft Office launches external ms-search protocol handler (WebDAV) 23->115 117 Office viewer loads remote template 23->117 119 Microsoft Office drops suspicious files 23->119 49 EQNEDT32.EXE 12 23->49         started        121 Adds a directory exclusion to Windows Defender 26->121 123 Injects a PE file into a foreign processes 26->123 51 SFnyDQGfkqV.exe 26->51         started        53 powershell.exe 26->53         started        55 schtasks.exe 26->55         started        87 ip-api.com 28->87 89 ip-api.com 34->89 125 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->125 127 Tries to steal Mail credentials (via file / registry access) 34->127 129 Tries to harvest and steal ftp login credentials 34->129 131 Tries to harvest and steal browser information (history, passwords, etc) 34->131 file10 signatures11 process12 dnsIp13 97 ip-api.com 208.95.112.1, 49180, 49185, 49186 TUT-ASUS United States 40->97 73 C:\Users\user\AppData\Roaming\...\mpTrle.exe, PE32 40->73 dropped 135 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->135 137 Tries to steal Mail credentials (via file / registry access) 40->137 139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->139 141 Installs new ROOT certificates 45->141 75 C:\Users\user\AppData\Roaming\winiti.exe, PE32 49->75 dropped 77 C:\Users\user\AppData\Local\...\winiti[1].exe, PE32 49->77 dropped 143 Office equation editor establishes network connection 49->143 145 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 49->145 99 api.ipify.org 104.26.12.205, 443, 49184 CLOUDFLARENETUS United States 51->99 147 Hides that the sample has been downloaded from the Internet (zone.identifier) 51->147 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a448187a4238c392898c127d4d2dd9a9150ef060275a510d51183b31182e7dee/
Threat name:
Win32.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2024-07-23 00:48:49 UTC
File Type:
Document
Extracted files:
45
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urebq6schdbzfcmmcj6u2lozvekq54dae5nfcdkrda5tcgbopxxa._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240723-hbsf9asgnj/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Abuses OpenXML format to download file from external location
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e7b8e00c-f907-4dbc-ab4a-4a30da2a8d41
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a448187a4238/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments