MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f
SHA3-384 hash: 0daada2ea1f3c15cc28363d4b6ddcdab9465368d7d9efb63bb3d38e0a5172f2b293c275dadc132de6357b9ba0e670521
SHA1 hash: 5b3c78c2df44c8bcf3e7922de2c88edefd55fa39
MD5 hash: 230eca3f06f91bbe265b3a9fd03eb535
humanhash: illinois-lithium-west-emma
File name:Document 07042020-245784672.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'016'832 bytes
First seen:2020-04-07 07:07:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 27b2341aed8a7ebe066feaa559534f8e (1 x AgentTesla)
ssdeep 24576:8/rjjrEib+6ic3VNtH9pxJ4CozLFY2I8e5Y:WrnBKgVvHHnwYi
Threatray 10'605 similar samples on MalwareBazaar
TLSH 8325BE3FE968A063EE9B153105A14FD9D53F6C103725839BF286B71A45F8B80B16F70A
Reporter abuse_ch
Tags:AgentTesla COVID-19 exe


Avatar
abuse_ch
COVID-19 themed malspam distributing AgentTesla:

HELO: giardserver.giardinnovationcorp.com
Sending IP: 162.241.210.99
From: Managing Director <md@victim-domain>
Subject: Evidence Of Document Containing Staff Misconduct During This Periof Of COVID-19 Pandemic
Attachment: Document 07042020-245784672.img (contains "Document 07042020-245784672.exe")

AgentTesla SMTP exfil server:
smtp.maizinternational.com:587 (208.91.199.224)

AgentTesla SMTP exfil email address:
sales@maizinternational.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 07:36:42 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn5gdmzz2taz3frf2u4r6hjlbujwc54xcp33gn4vypenzzfvgipq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
161692cd66940133b0ecd2d6858d3841064695fa2c54f2365f036200f1f737ab
AgentTesla
1b2094d2d7015ce59416ddaf7a827d03837bde54a330dc5600ceac3f91799559
AgentTesla
2c8da0da6cbab2366291deabbb773bec304a9e49c87982a04d6ee33c712cd642
AgentTesla
4771ad2ea30c1ac1dbf9e6358478b9fd0d6525a4b9c19e0610f7accd1d1151af
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
+ 10'595 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 1bb704a19729198cf8d1bf673fc5ddeae6810bc0a773c27423352a17f7aeba9a

AgentTesla

Executable exe 7b7a61b339d4c19d9625d5391f1d2b0d1361779713f7b33795c3c8dce4b5321f

(this sample)

  
Dropped by
MD5 a9e601af70ce5e37d4e6a0356f4bd4ee
  
Dropped by
SHA256 1bb704a19729198cf8d1bf673fc5ddeae6810bc0a773c27423352a17f7aeba9a
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationAUTHZ.dll::AuthzFreeContext
AUTHZ.dll::AuthzFreeResourceManager
AUTHZ.dll::AuthzInitializeContextFromSid
AUTHZ.dll::AuthzInitializeResourceManager
ADVAPI32.dll::ConvertSidToStringSidA
ADVAPI32.dll::CreateWellKnownSid
COM_BASE_APICan Download & Execute componentsole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_APICan Play MultimediaAVICAP32.dll::capCreateCaptureWindowA
GDI32.dll::StretchDIBits
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::SetConsoleCP
KERNEL32.dll::SetConsoleOutputCP
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CryptDecodeObject
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateMenu
USER32.dll::FindWindowExW
USER32.dll::FindWindowA
USER32.dll::FindWindowExA
USER32.dll::CreateWindowExA

Comments