MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf581d47944d33fbe9449e03075956c2d6688586ea7a7429a8d089ea098342b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	bf581d47944d33fbe9449e03075956c2d6688586ea7a7429a8d089ea098342b6
SHA3-384 hash:	4a3ffeeb6cabc9b98999aec04b38dc09a3de57f52352b9cc678763eb3f06fdcf0c70f5e8d1a3825c5bfd3cbf093004a7
SHA1 hash:	9a21b7ca4ec5d821ffcacd760cd77a1c51178bc0
MD5 hash:	a391ec870c003b0d390be52b8f719144
humanhash:	paris-wyoming-kentucky-ink
File name:	Invoice- INV-1643920-xlsx.xll
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	566'784 bytes
First seen:	2022-04-16 06:11:46 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep	12288:Vn/zDvGHAykHSzLW/4+8bzbBSreMdpVLgFK/UqW:ZzbGHAzHAjX1GbcL
Threatray	119 similar samples on MalwareBazaar
TLSH	T140C48D57F7C7FAB0E6BE827A86B1891C527774520260A78F674072896D23392493DF0F
TrID	58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 34.3% (.OCX) Windows ActiveX control (116521/4/18) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

305

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

1

File name:

Invoice- INV-1643920-xlsx.xll

Verdict:

No threats detected

Analysis date:

2022-04-16 06:17:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6f5a6d7f-8845-4830-8219-1ec92de0809f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/bf581d47944d33fbe9449e03075956c2d6688586ea7a7429a8d089ea098342b6/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed packed

Link:

https://www.filescan.io/uploads/625a5e34ffe27d5119e38507/reports/ef32ba9d-5040-48ed-9e75-49d3d3987366/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf581d47944d33fbe9449e03075956c2d6688586ea7a7429a8d089ea098342b6/

Threat name:

ByteCode-MSIL.Trojan.ExcelAddin

Status:

Malicious

First seen:

2022-04-15 14:19:50 UTC

File Type:

PE+ (Dll)

Extracted files:

3

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x5mb2r4ujuz7x2ketybqowkwyllgrbmg5j5hikni2ce6ucmdik3a._file

Verdict:

unknown

Similar samples:

0c425d6c6bce93fad4f32c275db574e8b3161a1ae55a9a957d50020b516d3e2c

0ef5f84a6608bc85058740063ba211f2d7da26883266aed349531c9678d29d55

226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a

29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9

2d9035fccfa410259c75bb54edc9c95c2d736e6bdf87832fc2062dcd89286b39

30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4

5f1beab27690a8ea9b9be78c5d34dd852dd3af4f5128feace84d1b2e10d73b59

60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65

676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784

b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73

+ 109 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220416-gx6qbsgba8/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

AgentTesla Payload

AgentTesla

Process spawned unexpected child process

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf581d47944d33fbe9449e03075956c2d6688586ea7a7429a8d089ea098342b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xll bf581d47944d33fbe9449e03075956c2d6688586ea7a7429a8d089ea098342b6

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample