MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7351eddf1e255e0b5d5d6c7dbd054427f5fef62b7cd9d25b67166e57df21d9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments

SHA256 hash: c7351eddf1e255e0b5d5d6c7dbd054427f5fef62b7cd9d25b67166e57df21d9b
SHA3-384 hash: 82b45d5438095091740a66c28664a134113639de37b0ef7e6fd637352b466bfd2358e3f0072dba0757e78df93e7c3fc7
SHA1 hash: a1cf21c352a13b91a2b0ab22c4367e07151c4292
MD5 hash: aaea73067b34013e5c1c9715dcf715a4
humanhash: nebraska-juliet-kansas-fourteen
File name:DHL_AWB.docx
Download: download sample
Signature AgentTesla
File size:73'762 bytes
First seen:2022-08-05 14:34:11 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 1536:+Uk/JREcKLAG51Y5/kPMqvyM76mC178spn0jQWa:+1BKLAA5PPn2F1XCRa
TLSH T1677302E249C542DCDF8186328F9ADF7BDA58DCD259AB972C46E1983C98734CA8720C18
TrID 51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter @lowmal3
Tags:AgentTesla doc

Intelligence


File Origin
# of uploads :
1
# of downloads :
370
Origin country :
DE DE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_AWB.docx
Verdict:
Malicious activity
Analysis date:
2022-08-05 14:35:05 UTC
Tags:
opendir trojan exploit CVE-2017-11882 loader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
–°reating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Creating a window
Creating a file
DNS request
Sending an HTTP GET request
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Word File with Embedding Objects
Alert level:
85%
Payload URLs
URL
File name
http://198.23.207.54/shp/doc_200.doc
settings.xml.rels
Document image
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-11882 exploit xploit
Label:
Benign
Suspicious Score:
  /10
Score Malicious:
%
Score Benign:
1%
Result
Verdict:
SUSPICIOUS
Details
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
External Relationship Element
Document contains an externally hosted relationship, which fetches further content.
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Antivirus detection for dropped file
Contains an external reference to another file
Drops PE files to the user root directory
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: File Dropped By EQNEDT32EXE
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Telegram RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679368 Sample: DHL_AWB.docx Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for dropped file 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 13 other signatures 2->47 7 EQNEDT32.EXE 12 2->7         started        11 WINWORD.EXE 304 67 2->11         started        14 EXCEL.EXE 2 3 2->14         started        16 EXCEL.EXE 2 3 2->16         started        process3 dnsIp4 29 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->29 dropped 31 C:\Users\Public\vbc.exe, PE32 7->31 dropped 55 Office equation editor establishes network connection 7->55 57 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->57 18 vbc.exe 1 5 7->18         started        39 198.23.207.54, 49171, 49172, 49173 AS-COLOCROSSINGUS United States 11->39 33 ~WRF{61C0FE69-632E...B-CB8720AB2605}.tmp, Composite 11->33 dropped 35 C:\Users\user\AppData\Local\...\694BA9C1.doc, data 11->35 dropped 37 C:\Users\user\AppData\...\doc_200[1].doc, data 11->37 dropped file5 signatures6 process7 signatures8 49 Antivirus detection for dropped file 18->49 51 Multi AV Scanner detection for dropped file 18->51 53 Machine Learning detection for dropped file 18->53 21 vbc.exe 18->21         started        23 vbc.exe 18->23         started        25 vbc.exe 18->25         started        27 2 other processes 18->27 process9
Threat name:
Document-Office.Exploit.CVE-2017-0199
Status:
Malicious
First seen:
2022-08-05 11:00:12 UTC
File Type:
Document
Extracted files:
30
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Suspicious use of SetThreadContext
Abuses OpenXML format to download file from external location
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
AgentTesla payload
AgentTesla
Malware Config
C2 Extraction:
https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file doc c7351eddf1e255e0b5d5d6c7dbd054427f5fef62b7cd9d25b67166e57df21d9b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments