MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7
SHA3-384 hash: 167b540ca70fc28bc1ee444effd24776f6dfbeb5e6b76f12d2c676b8cb27015d0b8a07c8174e578155d6fb611be62fbf
SHA1 hash: fc810ac535f29b4ad23250467e1ce8347c072c8c
MD5 hash: 1af86ac12866629b9f97564e00f54554
humanhash: north-pennsylvania-happy-five
File name:DHL OVERDUE LETTER.rar
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'252 bytes
First seen:2023-08-28 11:44:41 UTC
Last seen:2023-08-28 11:45:14 UTC
File type: rar
MIME type:application/x-rar
ssdeep 48:0oK/idxw939NxmfhuCQzvWT39vbvKwsRTIKjVYWV4XoFAGyL00CHg5MKIGh0y2:w0a5xmfzGE9vbKrRvjVN4YGLP+KIQ0y2
TLSH T1F8616F3D5F554342BF991D63901B58FF5E102213BB472C55C1073A197744EE239F219A
TrID 58.3% (.RAR) RAR compressed archive (v-4.x) (7000/1)
41.6% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:AgentTesla DHL rar


Avatar
cocaman
Malicious email (T1566.001)
From: ""DHL CHINA"<claudette.mcmillan@dhl.com>" (likely spoofed)
Received: "from dhl.com (unknown [163.123.143.80]) "
Date: "22 Aug 2023 05:34:32 +0200"
Subject: "Re: DHL Global Forwarding - Aug Overdue account letter"
Attachment: "DHL OVERDUE LETTER.rar"

Intelligence

File Origin
# of uploads :
3
# of downloads :
97
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:DHL OVERDUE LETTER.exe
File size:7'168 bytes
SHA256 hash: b3be1fe7098ff321491612d574fa9b51205e823f9883abe7f234aaa39f0a32bd
MD5 hash: 6a0a9e6e1d0d18b353682868231719dc
MIME type:application/x-dosexec
Signature AgentTesla
Vendor Threat Intelligence
Result
Verdict:
Unknown
File Type:
PE File
Link:
https://app.docguard.net/820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7/results/dashboard
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin masquerade packed
Link:
https://www.filescan.io/uploads/64ec88c07444d2eb09f289d0/reports/0ace449e-ef35-41c0-bc00-9d9db61ba9d3/overview
Verdict:
Malicious
Labled as:
Mal/DrodRar
Link:
https://www.hybrid-analysis.com/sample/820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 05:03:37 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qieahnvs3mgmjr2bmin7foltnend76jrpyscbttrqyuh4gni6ctq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/230828-n71qdsdf4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 820803b6b2db0cc4c741621bf2b973691a3ff9317e2420ce7186287e19a8f0a7

(this sample)

AgentTesla

Executable exe b3be1fe7098ff321491612d574fa9b51205e823f9883abe7f234aaa39f0a32bd

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b3be1fe7098ff321491612d574fa9b51205e823f9883abe7f234aaa39f0a32bd
  
Dropping
AgentTesla

Comments