MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7
SHA3-384 hash: 3a726aa34ac66c024619a1c3bb7c1d79f388e67885dd96ceec5b915a66eb24b00cd4bc2b322f94ba5b9b7e320079581f
SHA1 hash: 0142a4de1b2b417185a9d6fad7cb231dbad5d49a
MD5 hash: ef43ac510c08b3f089c05f74a027577d
humanhash: yellow-chicken-failed-fanta
File name:DHL Receipt_AWB 7214303201_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'232 bytes
First seen:2023-09-15 07:22:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:zA5WIPr4zqID/L+Bb8Dbyc+FoLU9jIJQGSNglncY74aTlHG5WS:riYDbV+gWMeGSuj7h5G5WS
Threatray 5'620 similar samples on MalwareBazaar
TLSH T1B4F4010933B4A417E0B811F94919BB191772BE2B15A4E3EC5CCA79CE52F0BC185937EB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8299f0b2b298c864 (8 x AgentTesla, 2 x NanoCore, 2 x Formbook)
Reporter abuse_ch
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
280
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
DHL Receipt_AWB 7214303201_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-15 07:26:02 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/8a697258-c025-4d77-ada9-919525a931ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448781/
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.31081.1657.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/650406579bae8a378558373c/reports/0cf1373f-aa7f-478c-9cdf-1907edb4642f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca5738e2-18d7-4630-9515-f506f395efaf
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308774
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 04:54:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27u2snzwwvnylep2scb42ljosawvkqrj72vdenbygjkp6cxm6l3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3807b05845559f4ea717756c87357b8cfd9b9909a4d3f738f35ddc2bed88c35e
AgentTesla
4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a
AgentTesla
527667bc0981c49c8b4240170196700630a848bc7f3890ec6733df750d201d9b
AgentTesla
534bc98179bd7a6f7c7491fdee34ff06ae1d90f7bf1db29586d39a5ae971eea5
AgentTesla
5d4862723d30554cea6f12055b8c648b5d5b0ce2c94fd7ef7b86224a38fc75d5
AgentTesla
9c715b1f528e3ac5d2a6c36d162880ac8ccc240e25022b363dc3726f2d7e2fff
AgentTesla
a99950332da46a51e1aaba6204df22a2c94926d9ac2691ac63cdb3cc6f9f3098
AgentTesla
b51c0c907444b390504c65e4d688a265f1698e2bcfc8a214ead20ef62f5d685a
AgentTesla
b964fd0b9facd76d7dd84b3491df66d51c5e95fd4385f47afd9764a72ebb939e
AgentTesla
d72e06066cce04251239d12e50e546c951aab9c1c0682d189714fddcf0a74cda
AgentTesla
+ 5'610 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230915-h7s3nacb76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806
MD5 hash:
604ba9fe5293c6b09155e9593e5fe8b4
SHA1 hash:
c9ca531c5c50091dcdeabea6af26643e897fe3f8
Link:
https://www.unpac.me/results/ae4e3c62-33df-4f62-ac94-754da51969bd/
SH256 hash:
4499607a32b9668e0b7d41ff6b0f78de048dcb1d49478b5e8b532e3327c734b3
MD5 hash:
12edb110bd91b775f1e01e90b05165ea
SHA1 hash:
c1ec357bfec1bd5b1e62b92bd08587b68fd6aea9
Link:
https://www.unpac.me/results/ae4e3c62-33df-4f62-ac94-754da51969bd/
SH256 hash:
aa23263f6c350872ea4fbb12edd5aed459e5c1ec120dd6bcfd7fad274b7e9646
MD5 hash:
e077a0e47b71a7d8d8c62847c5b69ef7
SHA1 hash:
bf75855dbfe8d8ccfc6e0037a34c4ad2b5d4abe3
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/ae4e3c62-33df-4f62-ac94-754da51969bd/
Parent samples :
4fb86de07113a2b53448d5621dae4d2da70a3c36dff2089da50a1326eed99d8a
d72e06066cce04251239d12e50e546c951aab9c1c0682d189714fddcf0a74cda
d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7
647720247627b1a36405720d307ce33dc9487050c78fe58fbb76d5931a48dc79
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/ae4e3c62-33df-4f62-ac94-754da51969bd/
Parent samples :
cef72412a1dd9486bae5f7e606d4330660fba98575ba1c939559ccc83536f41a
81ccf158093718305b3499d0f16d8a82bcad69f2740066daca8d5b5ca9979688
SH256 hash:
d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7
MD5 hash:
ef43ac510c08b3f089c05f74a027577d
SHA1 hash:
0142a4de1b2b417185a9d6fad7cb231dbad5d49a
Link:
https://www.unpac.me/results/ae4e3c62-33df-4f62-ac94-754da51969bd/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7e9a93736b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d7e9a93736b55b8591fa9083cd2d2e902d554229feaa3234383254ff0aecf2f7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448781/

Comments