MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78
SHA3-384 hash:	e75f535a0e048a0ff2792b0c4cd6f2080231f23c3d4dbccffe730f5d965a1f37ad5d127c97d839b6d206f3eec49ed37c
SHA1 hash:	4eaa56b42a4d417ba9f24338dccda177ae3f495a
MD5 hash:	9a993ff89729702b960bacc5a3cc575d
humanhash:	mirror-cardinal-avocado-undress
File name:	Purchase Order1.xll
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	648'704 bytes
First seen:	2022-04-28 06:35:49 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep	12288:q0Ws7IMsR4yVld8bzbBSreKBY4ZyrE7K3yl8PeVooA/AB2LEJZsAQPUqjl:q0bskX1aBY4ZyrE7K3yl8PeVooA/AB2f
Threatray	16'167 similar samples on MalwareBazaar
TLSH	T17FD46D55BECA6EA1EFBF47B78361D62D1126736E03A0A6CF6603019D3951FC2453EA03
TrID	58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 34.3% (.OCX) Windows ActiveX control (116521/4/18) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Generic-9939833-0

SecuriteInfo.com.Trojan.DownloaderNET.312.27193.19952.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware packed packed

Link:

https://www.filescan.io/uploads/626a35e70d3e2bd52d0e8349/reports/00f253c0-898c-4b82-880a-d918369bf0ce/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78/

Threat name:

ByteCode-MSIL.Trojan.ExcelAddin

Status:

Malicious

First seen:

2022-04-28 03:13:44 UTC

File Type:

PE (Dll)

Extracted files:

3

AV detection:

22 of 40 (55.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=viuipcpaxp42ft6tctyvdd4usmmrwiw62cl5u3bs7smwm7g6bv4a._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

0c2a4483319382571e9b470d292d0b4bdd4e7e700ff5722a979e4498c147693f

19e0b2abf3378d86d1f8d834eaf65f66079bfe64181ec13b50dc115e013b12d1

1bf8c12c3dadffb6d0b9dfbebd78a15bed670640830c0f41369ea6137c2aeb1d

4a9683f3b6658f4895cd3d44c4920d77db5dfd410cf0dc188e4f4d2740c24539

5d45566376f6d2724f2a799784589f52751abf462064bbfb9f5bab134ecd120c

61fe696f1f01753b90b6054fc390025f644a69a8c85a89dc83ac76cae19f79fb

727f124333294aaba156840955cbfc6ac7470768c65c1582c5e0dbfcb6f8722f

864b3cc362f84975007a63ae6f7fa6b4bdcc06f4459195896ebee385443ed44a

c61b6512d455398c2ff7fa4450c488e7eaeb8aacc01f732d8204ae302e2cc868

d724eef097700915a348d42dcfa0255e3edb3c644cf8740fd052cddab2c81b54

+ 16'157 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220428-hcx35abca3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xll aa288789e0bbf9a2cfd314f1518f9493191b22ded097da6c32fc99667cde0d78

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample