MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Maldoc score: 4


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b
SHA3-384 hash: 9e4eb09f04e6a1109cc86a1c393d2bdfd7c6d859a888c728b738c9b977c3be4683d4eb7288d18ac3b1eeb1fec70a519a
SHA1 hash: fe90cbd52e1c17ae7cc782ea07839489ab67b55f
MD5 hash: 3cb7d03816665f74c851d0007fa58bdb
humanhash: eight-uranus-stairway-charlie
File name:25094.xls
Download: download sample
Signature AgentTesla
Create hunting rule
File size:952'320 bytes
First seen:2024-05-14 12:44:20 UTC
Last seen:2024-05-15 06:09:49 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:S7PCQ5HKRrUP/mMxgORsbE1LWy7jtbBtugXcHPnj50cKw:YPd0rGMOebSzJlcK
TLSH T10215233AF9F14387C972B4B5B89FC5929B3CBDC4EA22B05F2310315D72B517568A248A
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter cocaman
Tags:AgentTesla xls


Avatar
cocaman
Malicious email (T1566.001)
From: "Joy <info@dubnis-ae.com>" (likely spoofed)
Received: "from hosted-by.rootlayer.net (unknown [45.137.22.154]) "
Date: "14 May 2024 21:25:41 +0200"
Subject: "RE: RE: SOA / ~ April . 2024 -BLU LOGISTICS"
Attachment: "25094.xls"

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD0002A3E9/CompObj
5470563 bytesMBD0002A3E9/Package
6524 bytesMBD0002A3EA/Ole
7459329 bytesWorkbook
8527 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
20
# of downloads :
447
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b.xls
Verdict:
Suspicious activity
Analysis date:
2024-05-14 12:46:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58af6381-fdc7-41d6-b11f-9ffac8ffc035

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.93TilInfinity.20240412.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.IMG.Phish.18227.16979.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
DNS request
Launching a process
Creating a window
Searching for synchronization primitives
Сreating synchronization primitives
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b/results/dashboard
Payload URLs
URL
File name
http://dokdo.in/iOi
Embedded Ole
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit language-tr macros shellcode
Link:
https://www.filescan.io/uploads/66435cda54aa07c307faa741/reports/4e4a5e7f-db20-420e-b5da-40360d705ac8/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b
Result
Threat name:
AgentTesla, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1441354
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Excel sheet contains many unusual embedded objects
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1441354 Sample: 25094.xls Startdate: 14/05/2024 Architecture: WINDOWS Score: 100 55 dokdo.in 2->55 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 22 other signatures 2->91 8 EXCEL.EXE 57 47 2->8         started        12 mpTrle.exe 2->12         started        15 mpTrle.exe 2 2->15         started        17 spoolsv.exe 2->17         started        signatures3 process4 dnsIp5 71 dokdo.in 104.21.71.191, 443, 49161, 49162 CLOUDFLARENETUS United States 8->71 73 192.3.239.30, 49163, 49173, 49174 AS-COLOCROSSINGUS United States 8->73 53 beautifulflowerwhe...peningaround[1].doc, ISO-8859 8->53 dropped 19 WINWORD.EXE 344 37 8->19         started        24 spoolsv.exe 1 7 8->24         started        26 AcroRd32.exe 8->26         started        115 Injects a PE file into a foreign processes 12->115 28 mpTrle.exe 12->28         started        117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->117 119 Machine Learning detection for dropped file 15->119 30 mpTrle.exe 12 2 15->30         started        file6 signatures7 process8 dnsIp9 57 dokdo.in 19->57 45 C:\Users\user\AppData\Roaming\...\iOi.url, MS 19->45 dropped 47 C:\Users\user\AppData\...\dokdo.in.url, MS 19->47 dropped 49 ~WRF{1ABABF8D-6E01...C-E8F0E667A92A}.tmp, Composite 19->49 dropped 51 C:\Users\user\AppData\Local\...7B4BA07.doc, ISO-8859 19->51 dropped 93 Microsoft Office launches external ms-search protocol handler (WebDAV) 19->93 95 Office viewer loads remote template 19->95 97 Microsoft Office drops suspicious files 19->97 32 EQNEDT32.EXE 12 19->32         started        99 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->99 101 Machine Learning detection for dropped file 24->101 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->103 113 2 other signatures 24->113 36 spoolsv.exe 13 4 24->36         started        59 ip-api.com 28->59 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->105 107 Tries to steal Mail credentials (via file / registry access) 28->107 109 Tries to harvest and steal ftp login credentials 28->109 111 Tries to harvest and steal browser information (history, passwords, etc) 28->111 61 ip-api.com 30->61 63 api.ipify.org 104.26.13.205, 443, 49177 CLOUDFLARENETUS United States 30->63 file10 signatures11 process12 dnsIp13 39 C:\Users\user\AppData\Roaming\spoolsv.exe, PE32 32->39 dropped 41 C:\Users\user\AppData\...\spoolsv[1].exe, PE32 32->41 dropped 75 Office equation editor establishes network connection 32->75 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 32->77 65 ip-api.com 208.95.112.1, 49176, 49178, 80 TUT-ASUS United States 36->65 67 104.26.12.205, 443, 49175 CLOUDFLARENETUS United States 36->67 69 api.ipify.org 36->69 43 C:\Users\user\AppData\Roaming\...\mpTrle.exe, PE32 36->43 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->79 81 Tries to steal Mail credentials (via file / registry access) 36->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->83 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b/
Threat name:
Document-Word.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2024-05-14 09:57:52 UTC
File Type:
Document
Extracted files:
99
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4ecrq4xd3lstv7p7ing6ojzl73htllletfqy6p7t7rkmpwnze5q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240514-py23jagb43/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Abuses OpenXML format to download file from external location
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
AgentTesla
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af0828c3971e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xls af0828c3971ed729d7effa1a6f39395ff679ad6b24cb0c79ff9fe2a63ecdc93b

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
Dropping
AgentTesla

Comments