MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Maldoc score: 15


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481
SHA3-384 hash: 9e24c980acdeb88fc51d2212cd472bd38115b031d7172626389d25b527b4ca4c318aa8cbc5c5d6986044f9184eae246a
SHA1 hash: 05ea2fe69c866d8d4c3c602755f17f64a5070a47
MD5 hash: 15ea6c0a73049b48363a8a782c9bd793
humanhash: leopard-happy-batman-tango
File name:Passport & Credit Card Authorization(1).docx
Download: download sample
Signature AgentTesla
Create hunting rule
File size:659'513 bytes
First seen:2022-06-09 04:54:34 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 6144:lO0R0T0c0/0m0Z0i0y0q08GWd1mhv3OdJFXiNPlV6R2Y88JQUwNM+fjNVqzx+xle:MdYB3miqoYLKbNZmzeH8bAjsEhTr8f
TLSH T1E7E412B1AA9BED20C11629375EFA4B404AC45847192EBF473DD0D3ADB60F9F9731B122
TrID 51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter JAMESWT_WT
Tags:AgentTesla doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 15
OLE dump

MalwareBazaar was able to identify 121 sections in this file using oledump:

Section IDSection sizeSection name
A1108 bytesCompObj
A2244 bytesDocumentSummaryInformation
A3208 bytesSummaryInformation
A415465 bytesWorkbook
A5423 bytes_VBA_PROJECT_CUR/PROJECT
A653 bytes_VBA_PROJECT_CUR/PROJECTwm
A7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
A82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
A9514 bytes_VBA_PROJECT_CUR/VBA/dir
A102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
B1108 bytesCompObj
B2244 bytesDocumentSummaryInformation
B3208 bytesSummaryInformation
B415465 bytesWorkbook
B5423 bytes_VBA_PROJECT_CUR/PROJECT
B653 bytes_VBA_PROJECT_CUR/PROJECTwm
B7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
B82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
B9514 bytes_VBA_PROJECT_CUR/VBA/dir
B102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
C1108 bytesCompObj
C2244 bytesDocumentSummaryInformation
C3208 bytesSummaryInformation
C415465 bytesWorkbook
C5423 bytes_VBA_PROJECT_CUR/PROJECT
C653 bytes_VBA_PROJECT_CUR/PROJECTwm
C7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
C82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
C9514 bytes_VBA_PROJECT_CUR/VBA/dir
C102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
D1108 bytesCompObj
D2244 bytesDocumentSummaryInformation
D3208 bytesSummaryInformation
D415465 bytesWorkbook
D5423 bytes_VBA_PROJECT_CUR/PROJECT
D653 bytes_VBA_PROJECT_CUR/PROJECTwm
D7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
D82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
D9514 bytes_VBA_PROJECT_CUR/VBA/dir
D102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
E1108 bytesCompObj
E2244 bytesDocumentSummaryInformation
E3208 bytesSummaryInformation
E415465 bytesWorkbook
E5423 bytes_VBA_PROJECT_CUR/PROJECT
E653 bytes_VBA_PROJECT_CUR/PROJECTwm
E7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
E82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
E9514 bytes_VBA_PROJECT_CUR/VBA/dir
E102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
F1108 bytesCompObj
F2244 bytesDocumentSummaryInformation
F3208 bytesSummaryInformation
F415465 bytesWorkbook
F5423 bytes_VBA_PROJECT_CUR/PROJECT
F653 bytes_VBA_PROJECT_CUR/PROJECTwm
F7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
F82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
F9514 bytes_VBA_PROJECT_CUR/VBA/dir
F102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
G1108 bytesCompObj
G2244 bytesDocumentSummaryInformation
G3208 bytesSummaryInformation
G415465 bytesWorkbook
G5423 bytes_VBA_PROJECT_CUR/PROJECT
G653 bytes_VBA_PROJECT_CUR/PROJECTwm
G7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
G82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
G9514 bytes_VBA_PROJECT_CUR/VBA/dir
G102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
H1108 bytesCompObj
H2244 bytesDocumentSummaryInformation
H3208 bytesSummaryInformation
H415465 bytesWorkbook
H5423 bytes_VBA_PROJECT_CUR/PROJECT
H653 bytes_VBA_PROJECT_CUR/PROJECTwm
H7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
H82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
H9514 bytes_VBA_PROJECT_CUR/VBA/dir
H102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
I1108 bytesCompObj
I2244 bytesDocumentSummaryInformation
I3208 bytesSummaryInformation
I415465 bytesWorkbook
I5423 bytes_VBA_PROJECT_CUR/PROJECT
I653 bytes_VBA_PROJECT_CUR/PROJECTwm
I7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
I82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
I9514 bytes_VBA_PROJECT_CUR/VBA/dir
I102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
J1108 bytesCompObj
J2244 bytesDocumentSummaryInformation
J3208 bytesSummaryInformation
J415465 bytesWorkbook
J5423 bytes_VBA_PROJECT_CUR/PROJECT
J653 bytes_VBA_PROJECT_CUR/PROJECTwm
J7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
J82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
J9514 bytes_VBA_PROJECT_CUR/VBA/dir
J102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
K1108 bytesCompObj
K2244 bytesDocumentSummaryInformation
K3208 bytesSummaryInformation
K415465 bytesWorkbook
K5423 bytes_VBA_PROJECT_CUR/PROJECT
K653 bytes_VBA_PROJECT_CUR/PROJECTwm
K7991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
K82594 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
K9514 bytes_VBA_PROJECT_CUR/VBA/dir
K102291 bytes_VBA_PROJECT_CUR/VBA/kokapatni
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_BeforeCloseRuns when the Excel Workbook is closed
IOColapappinuggerman.jsExecutable file name
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousWscript.ShellMay run an executable file or a system command
SuspiciousEXECMay run an executable file or a system
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Passport & Credit Card Authorization(1).docx
Verdict:
Malicious activity
Analysis date:
2022-06-09 04:55:00 UTC
Tags:
macros generated-doc
Link:
https://app.any.run/tasks/1a5e2a7c-ed19-4587-a5de-aabb39e0ae2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.ScriptBuilderYouShouldBeDancing.20220608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file
Creating a process with a hidden window
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
OOXML Word File with Embedding Objects
Link:
https://app.docguard.net/ccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481/results/dashboard
Payload URLs
URL
File name
http://www.asianexportglass.shop/p/25.html
Microsoft_Excel_97-2003_Worksheet.xls
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-close mshta wscript
Link:
https://www.filescan.io/uploads/62a17d445dc88d35716deaf7/reports/e76be18f-42a4-437a-87e6-05afc076ca8e/overview
Label:
Benign
Suspicious Score:
2.6/10
Score Malicious:
27%
Score Benign:
73%
Link:
https://www.malware.ai/gui/files/?id=63e265dd-254a-4903-8998-07c6366438d5
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1009644
Signature
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 642140 Sample: Passport & Credit Card Auth... Startdate: 09/06/2022 Architecture: WINDOWS Score: 100 137 Malicious sample detected (through community Yara rule) 2->137 139 Multi AV Scanner detection for submitted file 2->139 141 Yara detected AgentTesla 2->141 143 4 other signatures 2->143 10 EXCEL.EXE 5 6 2->10         started        14 mshta.exe 2->14         started        17 mshta.exe 2->17         started        19 3 other processes 2->19 process3 dnsIp4 97 C:\Users\Public\olapappinuggerman.js, ASCII 10->97 dropped 161 Document exploit detected (creates forbidden files) 10->161 163 Microsoft Office drops suspicious files 10->163 21 wscript.exe 10->21         started        123 www.coalminners.shop 14->123 125 www.blogger.com 14->125 133 2 other IPs or domains 14->133 23 powershell.exe 14->23         started        26 schtasks.exe 14->26         started        28 taskkill.exe 14->28         started        38 12 other processes 14->38 127 blogspot.l.googleusercontent.com 172.217.168.1, 443, 49753, 49764 GOOGLEUS United States 17->127 135 3 other IPs or domains 17->135 30 powershell.exe 17->30         started        32 schtasks.exe 17->32         started        129 192.168.2.1 unknown unknown 19->129 131 p25ewie.blogspot.com 19->131 34 splwow64.exe 19->34         started        36 splwow64.exe 19->36         started        file5 signatures6 process7 dnsIp8 40 mshta.exe 33 21->40         started        101 gcp.media-router.wixstatic.com 34.102.176.152, 443, 49765, 49768 GOOGLEUS United States 23->101 103 media-router.wixstatic.com 23->103 105 1b5622c7-2ce6-4cef-b1cd-19325efd8f45.usrfiles.com 23->105 45 conhost.exe 23->45         started        47 conhost.exe 26->47         started        49 conhost.exe 28->49         started        107 media-router.wixstatic.com 30->107 109 1b5622c7-2ce6-4cef-b1cd-19325efd8f45.usrfiles.com 30->109 51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        55 conhost.exe 38->55         started        57 conhost.exe 38->57         started        59 9 other processes 38->59 process9 dnsIp10 111 ghs.google.com 172.217.168.83, 49739, 49746, 80 GOOGLEUS United States 40->111 113 blogger.l.google.com 172.217.168.9, 443, 49740, 49741 GOOGLEUS United States 40->113 115 3 other IPs or domains 40->115 95 C:\ProgramData\pooli.com, PE32 40->95 dropped 157 Drops PE files with a suspicious file extension 40->157 159 Uses schtasks.exe or at.exe to add and modify task schedules 40->159 61 powershell.exe 15 31 40->61         started        64 schtasks.exe 40->64         started        66 taskkill.exe 40->66         started        68 2 other processes 40->68 file11 signatures12 process13 dnsIp14 117 media-router.wixstatic.com 61->117 119 gcp.media-router.wixstatic.com 61->119 121 1b5622c7-2ce6-4cef-b1cd-19325efd8f45.usrfiles.com 61->121 70 aspnet_compiler.exe 61->70         started        74 aspnet_regbrowsers.exe 61->74         started        76 aspnet_regbrowsers.exe 61->76         started        86 2 other processes 61->86 78 conhost.exe 64->78         started        80 conhost.exe 66->80         started        82 conhost.exe 68->82         started        84 conhost.exe 68->84         started        process15 dnsIp16 99 194.31.98.108, 21, 49785, 49786 BURSABILTR Netherlands 70->99 145 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 70->145 147 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 70->147 149 Tries to steal Mail credentials (via file / registry access) 70->149 155 3 other signatures 70->155 151 Installs a global keyboard hook 74->151 153 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 76->153 89 conhost.exe 78->89         started        93 C:\Users\user\AppData\Local\...\udcwq3mz.dll, PE32 86->93 dropped 91 cvtres.exe 86->91         started        file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481/
Threat name:
Document-Word.Downloader.Powdow
Create hunting rule
Status:
Malicious
First seen:
2022-06-08 22:39:16 UTC
File Type:
Document
Extracted files:
183
AV detection:
11 of 26 (42.31%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ztenlks5djucyifqqbuurpyg2g25cglbrb67odejaljbi3dncsaq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220609-fj4s5sdbcr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://www.asianexportglass.shop/p/25.html
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ccc8d5aa5d1a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ccc8d5aa5d1a682c20b0806948bf06d1b5d11961887df70c8902d2146c6d1481

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments