MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e
SHA3-384 hash: db7486fc338d9f609cdab3a0cd38320dc07759f3afb4526d60121adc509e72c6b0a8037d87d46c2156f4897511b113a4
SHA1 hash: 1b939f220635f802f1d7837ca004c0ead91a1864
MD5 hash: 62e02279007c5e1ac7ae6716c1313549
humanhash: johnny-johnny-three-early
File name:DHL Shipping doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'984 bytes
First seen:2023-04-21 06:05:49 UTC
Last seen:2023-05-13 22:49:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fUTaNHMH91DzZGzG88f6R73Wx+6hFFNwMayGr0/hEsgU0pTFq0:fUsHMd1Dtyd3WA6hFwtj0OlNrt
Threatray 2'411 similar samples on MalwareBazaar
TLSH T1EAF4E1D5B326D792C2583D3D52EA71383BB04997E917C639FDC811887E26BC91E8078B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0070696969696000 (12 x Formbook, 9 x AgentTesla, 5 x Loki)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL Shipping doc.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 08:10:33 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/b3e8770c-ef2b-4184-aff1-02b5d6ad325e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383907/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/644227cecb3a77ded53ff42e/reports/b81d5338-7020-4a7f-bff9-2aba5b94b206/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe53218d-5bc9-44d1-aa69-91b66791b65d
Result
Threat name:
AgentTesla, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218446
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e/
Threat name:
ByteCode-MSIL.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 06:06:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7qchj4dx57puaqhq243uxdsyw5va7iotc2t2v7irfpet7eramxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1848273b479f368e281177c9b8d643ff1994906f7c2479c92b1ae7f38440f0ee
AgentTesla
1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562
AgentTesla
20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500
AgentTesla
2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
AgentTesla
3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580
AgentTesla
8a03b8808de5dc90141e961a89350e8e50ad3f8410ec4e2d5b4fa64cfc310519
AgentTesla
900d92079c889090445b172adbb843546731d69d22c39c75a41f8e195e0721f5
AgentTesla
b082cba27efc5e6d925e816ac7ea0bbdcfa83b322cc3c340047e985389857da7
AgentTesla
ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1
AgentTesla
d850ceb318e1d078e00f9f59ff80f6775b8f19bfa26f5f0750582a73e51e4fcf
AgentTesla
+ 2'401 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230421-gtspasgd3y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8f87a31f913a09193515541c4c741348f5843c6c014870efb7f07419c2cc40ca
MD5 hash:
c4443cbe57997bd221c393b17c4a5322
SHA1 hash:
e46681cf0dab0c43b4489b61836381c9d2ec004c
Link:
https://www.unpac.me/results/9d8cb857-bf7e-4ced-9c5f-5462b2a8ef27/
SH256 hash:
6d528a8e231b03c1fabbdd75f4a4137aef32577ccd9899b2abc5d8288faca1e3
MD5 hash:
21ee7f03b17561e296a9427a17967a81
SHA1 hash:
ddde2dbdd1589d38db7ad51aef18f922e51d5a7d
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/9d8cb857-bf7e-4ced-9c5f-5462b2a8ef27/
Parent samples :
3c2b24a6f577cca56542f53c9c1960e034c8f9b9888d6c02f4b95b6be7f9e580
ce9f61e287166e270644981cb784c61066bcde3e9069691435b9f1524e03fbb1
b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e
bbdd3c67e8780f70bb81bbd019cc39c40b8efb9653dcef5e625409fc3ceedd10
5ad812cb5f8de1cf00232dad670e6d0711e198d8e97ade700fb7d8d1819e8570
66559a620120bae83346077c331fa493ec8f3c32f760aec990d972e72ff50578
SH256 hash:
5e5c8fe4e53980a98b48fe6b19155edf0f0d285ed899c61dbf4f880583ddf1d2
MD5 hash:
b3bbc5461d12f07ea893bf415dfe7c89
SHA1 hash:
40c3156c471d2afe3fd88c7d20cf93e5782e1bd6
Link:
https://www.unpac.me/results/9d8cb857-bf7e-4ced-9c5f-5462b2a8ef27/
SH256 hash:
e5518e76f14e87bcc58a705c6f8f3a686cbffefc0e55985d17a067adfddf3688
MD5 hash:
920a2854e9c183ad2ef7d5543c296d38
SHA1 hash:
2c20da753bdf6f1a46261e2c132dd42f75c94229
Link:
https://www.unpac.me/results/9d8cb857-bf7e-4ced-9c5f-5462b2a8ef27/
SH256 hash:
581f03adbd77d8a9ed5d3721f68432f174ed2c48f0c6b2794b7a15462e3347f3
MD5 hash:
9a493553b9456d60d3d605aac6f31058
SHA1 hash:
10d1411b45077f098b741bdd006bb0fb104f08d0
Link:
https://www.unpac.me/results/9d8cb857-bf7e-4ced-9c5f-5462b2a8ef27/
SH256 hash:
b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e
MD5 hash:
62e02279007c5e1ac7ae6716c1313549
SHA1 hash:
1b939f220635f802f1d7837ca004c0ead91a1864
Link:
https://www.unpac.me/results/9d8cb857-bf7e-4ced-9c5f-5462b2a8ef27/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b7e023a783bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/b7e023a783bf7efa020786b9ba5c72c5bb507d0e98b53d57e8895e49fc91032e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383907/

Comments