MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c
SHA3-384 hash: df0d243d6add8a6e269a220d72a7327d0cee68d66e4406771fb566f2a930717d0576d149c0229b7d35e54ab16798b1bd
SHA1 hash: cd0039d9d8eec724f76637ebea1e05d31a4c7016
MD5 hash: ef3c4225749fe49087929335fa56d29b
humanhash: happy-illinois-vegan-lithium
File name:DHL_Nov 2020 at 1.55_8BZ290_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:314'880 bytes
First seen:2020-12-17 08:36:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 412434c6590220a26bbf72c7c07a425b (7 x AgentTesla, 4 x Formbook, 1 x NanoCore)
ssdeep 6144:YVFiPiJiUK4gFR+vG4chJh4p6WqKWqpiDgx3tHwd/3EaF3:yiPi8UIuOhe6WeQiDgx3K5J
Threatray 1'860 similar samples on MalwareBazaar
TLSH 386422B697B358DACA09797F41B58BAFF8C58C839A7020E1475B4279D3CED7108602DE
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server2.avanzaeninternet.com
Sending IP: 37.153.92.54
From: DHL EXPRESS <noreply@dhl.com>
Subject: RE: DHL Express Shipment // AWB_5011014
Attachment: DHL_Nov 2020 at 1.55_8BZ290_PDF.7z (contains "DHL_Nov 2020 at 1.55_8BZ290_PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL_Nov 2020 at 1.55_8BZ290_PDF.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-17 09:06:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d1541dce-38fc-4518-9dff-f48957fd9f39

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/565262
Signature
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 03:21:50 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn7wworysm5j2bwwgfnytx2iy2k3p3t6gvzfmskxfjfl2f6djfwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0548f5f843c7552c0c5b34be2cfbbb6f3cb4ed68f9d8c8881adaeaf7f4847fbd
AgentTesla
1115de4c39b2799e9dbac90d4bcad5d1ddbf0ebd310fe04029fc379cd8bc034f
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3
AgentTesla
45729be7af7c3a3c18d7b032a1797d63655fccd33c6e494a478356b55b29ce38
AgentTesla
587cf31e6e23f0a2a06799111f1c0381f2d29187ab59cfee2f314cb6ae6ed349
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
b2a96d57f2421ebdc9fdf4813b413e1d2f84277b5dab59cccc52224094ff5ae4
AgentTesla
ee126cf35bbdcf2b2e8bbff8f27371910f9037799d4a3f5dbba16e5dc39797e7
AgentTesla
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
AgentTesla
+ 1'850 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/201217-zkj8x7a7m6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
ServiceHost packer
Unpacked files
SH256 hash:
7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c
MD5 hash:
ef3c4225749fe49087929335fa56d29b
SHA1 hash:
cd0039d9d8eec724f76637ebea1e05d31a4c7016
Link:
https://www.unpac.me/results/d05412ed-5789-473d-82d7-89e089019afc/
SH256 hash:
a8ac7f7458e64ccd05c76077bdf432516c3451590b52f1e00c1deb579662447a
MD5 hash:
3810a5e338678db03f3e1e4596561c46
SHA1 hash:
f9d0ad72f00f8b857e405c3693e939fc12e32a9f
Link:
https://www.unpac.me/results/d05412ed-5789-473d-82d7-89e089019afc/
SH256 hash:
d657181f16102eed4b019cc461e3bfc2dbacf36217e3947af23dbe502feaf0e3
MD5 hash:
b334623553eb8268149f2f6a954cbcad
SHA1 hash:
e46c574396b55dfc3595f29287649cf7864bbeb6
Link:
https://www.unpac.me/results/d05412ed-5789-473d-82d7-89e089019afc/
SH256 hash:
aa19524a2401872acb12b47c461450e4f2a239fe6f5c9d3cb3f5c85489d42271
MD5 hash:
d4ac5723b1729660a42f685765d33fcc
SHA1 hash:
f249790939cff61beb44304b86e725fe7f0d799f
Link:
https://www.unpac.me/results/d05412ed-5789-473d-82d7-89e089019afc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Virus
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z c46392e2576e57ef825e4fa1ab2e3444f4337f4f25ca1dc10dbeb299c4098491

AgentTesla

Executable exe 7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c

(this sample)

  
Dropped by
MD5 ca8061473d467292df4738e2337b2a01
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c46392e2576e57ef825e4fa1ab2e3444f4337f4f25ca1dc10dbeb299c4098491

Comments