MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 cd157abb678f29acfb7d4461fbdb5005dee9bd33ed4ba07c186b63d1746547fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 12
Maldoc score: 9
| SHA256 hash: | cd157abb678f29acfb7d4461fbdb5005dee9bd33ed4ba07c186b63d1746547fe |
|---|---|
| SHA3-384 hash: | 8395f6c40ad54863a23b5cc70286c66776a60da3ca1a27c5d22896245d86da28d86983e3c391321570e48436b903145e |
| SHA1 hash: | db7fcbb81d2bfbd0627aa6cbfc67dc27e4ce2469 |
| MD5 hash: | 2e447b66925feb09d8f55653dd9955f9 |
| humanhash: | lactose-summer-seventeen-jersey |
| File name: | MT02201573.xlsm |
| Download: | download sample |
| File size: | 441'473 bytes |
| First seen: | 2022-05-24 15:33:13 UTC |
| Last seen: | Never |
| File type: |  xlsm |
| MIME type: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
| ssdeep | 12288:eUXQu7SHOCZhSTIS2dGpeWpqivD1YxR25O8UJ:4warmMSAGMID1R5OtJ |
| TLSH | T1CD942304CBD29E2AAC8450B7EF24C7C440A271D2A18F2D492B7CB97D60DBC6E516E9DC |
| TrID | 42.2% (.XLAM) Excel Macro-enabled Open XML add-in (83500/1/13) 29.1% (.XLSM) Excel Microsoft Office Open XML Format document (with Macro) (57500/1/12) 17.2% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7) 8.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 2.0% (.ZIP) ZIP compressed archive (4000/1) |
| Reporter |  lowmal3 |
| Tags: | xlsm |
Office OLE Information
This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.
OLE id
| Maldoc score: 9 |
OLE dump
MalwareBazaar was able to identify 8 sections in this file using oledump:
| Section ID | Section size | Section name |
|---|---|---|
| A1 | 531 bytes | PROJECT |
| A2 | 89 bytes | PROJECTwm |
| A3 | 169 bytes | VBA/Sheet1 |
| A4 | 367 bytes | VBA/ThisWorkbook |
| A5 | 171 bytes | VBA/Workbook |
| A6 | 7 bytes | VBA/_VBA_PROJECT |
| A7 | 228 bytes | VBA/dir |
OLE vba
MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:
| Type | Keyword | Description |
|---|---|---|
| AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
| IOC | 3.70.157.79 | IPv4 address |
| IOC | certutil.exe | Executable file name |
| IOC | MT02201573.bat | Executable file name |
| IOC | Cgtgkhutnpvuixnzbgte | Executable file name |
| Suspicious | Shell | May run an executable file or a system command |
| Suspicious | vbHide | May run an executable file or a system command |
| Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) |
| Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) |
Intelligence
File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
MT02201573.xlsm
Verdict:
Malicious activity
Analysis date:
2022-05-24 15:37:20 UTC
Tags:
macros macros-on-open loader trojan rat agenttesla opendir stealer nanocore
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Excel File with Macro
Payload URLs
URL
File name
http://3.70.157.79/class/loader/uploads/MT02201573.bat
ThisWorkbook
Document image
Image:
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
certutil certutil.exe cmd macros macros-on-open
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
1%
Score Benign:
0%
Result
Verdict:
MALICIOUS
Link:
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
InQuest Machine Learning
An InQuest machine-learning model classified this macro as potentially malicious.
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
0 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Script-Macro.Downloader.Powdow
Status:
Malicious
First seen:
2022-05-24 14:22:12 UTC
File Type:
Document
Extracted files:
26
AV detection:
22 of 41 (53.66%)
Threat level:
3/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Downloads MZ/PE file
Malware family:
AgentTesla.v3
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
xlsm cd157abb678f29acfb7d4461fbdb5005dee9bd33ed4ba07c186b63d1746547fe
(this sample)
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.