MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7
SHA3-384 hash: dcb1469e2f53121dd2f480d2a4c6cc9db836f96bc0cf2341165fb18ed970a8f5d2fd63440f5167d9b12ac7cca8b898b8
SHA1 hash: 56e6301ac115d5fcc3bea7369f962d1ad02e7fe6
MD5 hash: 43d18319605497bb7f10804070f31c42
humanhash: johnny-william-pizza-east
File name:RFQ P39948220 Inquiry.ppt
Download: download sample
Signature AgentTesla
Create hunting rule
File size:65'024 bytes
First seen:2021-04-12 06:39:12 UTC
Last seen:Never
File type:PowerPoint file ppt
MIME type:application/vnd.ms-powerpoint
ssdeep 192:7BKzolzjiDkQ95TEzLTAcjydISgXruCvjAnl5C0Ij4RaHR05wrpQu:tvIDkQLELAcwIpXrLvjAls0I3xuw1r
TLSH 59538116B757C9A3E1596A358EE2D6CF3330BC22BD81970F318A331E2E379509D42B59
Reporter lowmal3
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ P39948220 Inquiry.ppt
Verdict:
Malicious activity
Analysis date:
2021-04-12 06:43:47 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/951bcde2-2bbf-493a-92f8-e4aa24ab7285

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.PPTWANNABEBALLERSHolidayOnTheMoonPolicyKillz.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7/results/dashboard
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/672579
Signature
.NET source code contains very large array initializations
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385236 Sample: RFQ P39948220 Inquiry.ppt Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 55 www.blogger.com 2->55 57 resources.blogblog.com 2->57 59 7 other IPs or domains 2->59 89 Found malware configuration 2->89 91 Yara detected Powershell download and execute 2->91 93 Yara detected AgentTesla 2->93 95 7 other signatures 2->95 9 cmd.exe 1 2->9         started        11 powershell.exe 12 8 2->11         started        15 mshta.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 19 POWERPNT.EXE 154 16 9->19         started        71 gcp.media-router.wixstatic.com 34.102.176.152, 443, 49179, 49185 GOOGLEUS United States 11->71 73 media-router.wixstatic.com 11->73 75 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com 11->75 113 Writes to foreign memory regions 11->113 115 Injects a PE file into a foreign processes 11->115 21 aspnet_compiler.exe 11->21         started        24 aspnet_compiler.exe 11->24         started        26 aspnet_compiler.exe 11->26         started        33 3 other processes 11->33 28 powershell.exe 15->28         started        77 www.blogger.com 17->77 79 www.blogger.com 17->79 81 6 other IPs or domains 17->81 31 mshta.exe 10 17->31         started        signatures6 process7 dnsIp8 35 mshta.exe 11 30 19->35         started        105 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->105 107 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->107 83 media-router.wixstatic.com 28->83 85 gcp.media-router.wixstatic.com 28->85 87 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com 28->87 109 Writes to foreign memory regions 28->109 111 Injects a PE file into a foreign processes 28->111 39 aspnet_compiler.exe 28->39         started        41 aspnet_compiler.exe 28->41         started        43 aspnet_compiler.exe 28->43         started        47 3 other processes 28->47 45 mshta.exe 18 31->45         started        signatures9 process10 dnsIp11 61 j.mp 67.199.248.17, 443, 49165 GOOGLE-PRIVATE-CLOUDUS United States 35->61 63 blogspot.l.googleusercontent.com 172.217.168.1, 443, 49166, 49169 GOOGLEUS United States 35->63 69 3 other IPs or domains 35->69 97 Creates autostart registry keys with suspicious values (likely registry only malware) 35->97 99 Creates multiple autostart registry keys 35->99 101 Creates an autostart registry key pointing to binary in C:\Windows 35->101 103 3 other signatures 35->103 49 taskkill.exe 35->49         started        51 taskkill.exe 35->51         started        53 schtasks.exe 35->53         started        65 www.blogger.com 45->65 67 getyournewblog.blogspot.com 45->67 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7/
Threat name:
Document-Office.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-04-12 06:19:12 UTC
AV detection:
4 of 48 (8.33%)
Threat level:
  2/5
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger macro persistence spyware stealer trojan xlm
Link:
https://tria.ge/reports/210412-aldm28z9zx/
Behaviour
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
AgentTesla Payload
AgentTesla
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://%6786d78asd6786d78asd%6786d78asd%6786d78asd@j.mp/jasidddasdoj
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

PowerPoint file ppt edcfc4bb2855541fb8aafe5cb37ffe77337c90e319548544642631f898d74bb7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments