MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01
SHA3-384 hash: 81d25b2f1a932fc799a61f0d4b3a6c1299bd7bf83bb89c815c4180d39fd674fb02370349f6a9c804ec59e3c3f1139e54
SHA1 hash: 961d396c2f8835f3c4dd40c7ba47ada09837fa8f
MD5 hash: 6112c02f7c568ce5a1b04de1ff2623ac
humanhash: winter-hot-pip-sweet
File name:SOA - NCL INTER LOGISTICS.ppt
Download: download sample
Signature AgentTesla
Create hunting rule
File size:148'992 bytes
First seen:2021-02-09 09:04:31 UTC
Last seen:2021-02-09 10:55:00 UTC
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 768:G4A/45FD/mJ7VUobdNVaiQpewBIUUX5afyUBLqnKarYmQ6wBAwHXAcjo:T5VmJ7VUCN0BIU65afdLPaRmg
TLSH 6AE3A3197663C11FC36506318D86CFF572307D08BCA2DA2B73A0733D2E7AB65A725698
Reporter lowmal3
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA - NCL INTER LOGISTICS.ppt
Verdict:
No threats detected
Analysis date:
2021-02-09 09:06:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df8a4179-9cf2-4b3b-9ed1-68971875ab9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.EvilMrFantasyIceIsNiceEdition.20200806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/bd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01/results/dashboard
Result
Verdict:
MALICIOUS
Details
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/602703
Signature
Connects to a URL shortener service
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350369 Sample: SOA - NCL INTER LOGISTICS.ppt Startdate: 09/02/2021 Architecture: WINDOWS Score: 100 49 www.blogger.com 2->49 51 startthepartyup.blogspot.com 2->51 53 6 other IPs or domains 2->53 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected AgentTesla 2->81 83 Sigma detected: Powershell execute code from registry 2->83 85 12 other signatures 2->85 10 cmd.exe 1 2->10         started        12 taskeng.exe 1 2->12         started        14 POWERPNT.EXE 501 3 2->14         started        16 mshta.exe 2->16         started        signatures3 process4 process5 18 POWERPNT.EXE 9 12 10->18         started        21 mshta.exe 10 12->21         started        signatures6 77 Document exploit detected (process start blacklist hit) 18->77 23 cmd.exe 18->23         started        25 PING.EXE 18->25         started        27 PING.EXE 18->27         started        32 6 other processes 18->32 29 mshta.exe 21->29         started        process7 dnsIp8 34 mshta.exe 13 51 23->34         started        38 powershell.exe 25->38         started        71 www.blogger.com 29->71 73 randikhanaekminar.blogspot.com 29->73 75 blogspot.l.googleusercontent.com 29->75 40 powershell.exe 29->40         started        process9 dnsIp10 55 j.mp 67.199.248.16, 49165, 80 GOOGLE-PRIVATE-CLOUDUS United States 34->55 57 blogspot.l.googleusercontent.com 172.217.23.33, 443, 49166, 49178 GOOGLEUS United States 34->57 65 3 other IPs or domains 34->65 87 Creates autostart registry keys with suspicious values (likely registry only malware) 34->87 89 Creates multiple autostart registry keys 34->89 91 Creates an autostart registry key pointing to binary in C:\Windows 34->91 93 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 34->93 42 powershell.exe 12 7 34->42         started        45 schtasks.exe 34->45         started        47 cmd.exe 34->47         started        59 ia601401.us.archive.org 38->59 61 onedrive.linkpc.net 40->61 63 ia601401.us.archive.org 40->63 signatures11 process12 dnsIp13 67 ia601401.us.archive.org 207.241.227.121, 443, 49180, 49188 INTERNET-ARCHIVEUS United States 42->67 69 onedrive.linkpc.net 192.254.74.210, 49179, 49187, 49194 BIGBRAINUS United States 42->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01/
Threat name:
Script-Macro.Trojan.Forged
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 22:01:16 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro xlm
Link:
https://tria.ge/reports/210209-x6ys2edxm6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

PowerPoint file ppt bd630c3f79afd61a57b259f8f69593ead8f7e7bd3a6835bd9d3c4032f30dfb01

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments