MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145
SHA3-384 hash: d8e806e87b8dd81063de339e53f321ce0ac46ad587392039a5ddeb77d0d3937695d3a88639d544ca8790f781220ff7e2
SHA1 hash: e773e7a4289a8ee16edb16e343498678375c7192
MD5 hash: ce921c9fac365ff27d186669a3ee8f64
humanhash: undress-mobile-purple-fix
File name:GlobalImagingDocuments-1768206064-pdf..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'063'872 bytes
First seen:2025-10-03 09:01:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 44f118c16d840b70867ab1f454683704 (2 x AgentTesla, 1 x PhantomStealer)
ssdeep 24576:Zx5o7tlcFL4z9nns1bX1U8GANnsKbHf1H2ykSy+ADgJOgBUCzIOvrc2O2Sw8P3X4:L5o/g89k9Bz4TwAn
Threatray 1'530 similar samples on MalwareBazaar
TLSH T1CDA5BE14E3E851B8D83BD734CB65A232E6B078460375E58F0A99C6562F73E919B3F702
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QuarantineMessage.zip
Verdict:
Malicious activity
Analysis date:
2025-10-02 08:42:00 UTC
Tags:
stealer ultravnc rmm-tool evasion exfiltration smtp attachments attc-arch spf-fail
Link:
https://app.any.run/tasks/ea48e1ef-88aa-4a0b-ae62-86abb3e33c16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30003/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dcf4c940b7da0b4eb92a58
Tags:
gensteal autorun virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-30T18:37:00Z UTC
Last seen:
2025-10-05T07:32:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145/results?tab=lookup
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e64bd81-d852-4719-8cae-87a998920e8c
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1788618
Signature
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1788618 Sample: GlobalImagingDocuments-1768... Startdate: 03/10/2025 Architecture: WINDOWS Score: 100 23 mail.taikei-rmc-co.biz 2->23 25 ip-api.com 2->25 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 7 other signatures 2->37 7 GlobalImagingDocuments-1768206064-pdf..exe 2 2->7         started        11 GlobalImagingDocuments-1768206064-pdf..exe 2->11         started        signatures3 process4 file5 19 GlobalImagingDocum...1768206064-pdf..exe, PE32+ 7->19 dropped 21 GlobalImagingDocum...exe:Zone.Identifier, ASCII 7->21 dropped 39 Drops PE files to the startup folder 7->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->41 43 Writes to foreign memory regions 7->43 13 InstallUtil.exe 15 2 7->13         started        45 Allocates memory in foreign processes 11->45 47 Injects a PE file into a foreign processes 11->47 17 InstallUtil.exe 2 11->17         started        signatures6 process7 dnsIp8 27 ip-api.com 208.95.112.1, 49713, 49722, 80 TUT-ASUS United States 13->27 29 mail.taikei-rmc-co.biz 103.253.42.215, 49716, 49723, 49725 TELE-ASTeleAsiaLimitedHK Hong Kong 13->29 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->53 61 2 other signatures 13->61 55 Tries to steal Mail credentials (via file / registry access) 17->55 57 Tries to harvest and steal ftp login credentials 17->57 59 Tries to harvest and steal browser information (history, passwords, etc) 17->59 signatures9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/ce921c9fac365ff27d186669a3ee8f64
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145
Threat name:
Win64.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-10-01 02:38:52 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnpqwubss2qm3ucgye6zlxgomkxg6po2do6hysj4oiegixdsafcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a8711c61a87f51285f13d87c6f0f4672febeea892e110e2a24e3cb7a100e23b
AgentTesla
239ec64b8c00bdc8603baaf441fc33bb14c14800051cf2d48d80345ff2966d9a
AgentTesla
2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145
AgentTesla
3e866746e562701703c6f99ed328c232f6fe8e1a2dec8ec5000ea25eeb7592bf
AgentTesla
79879634592305c6b0c9380d3aa194b520eb82836487e97c423b70aee55bdf41
AgentTesla
7b3d435d322d7303446c5ce3308704a1d4d5a5b1e70abb44a19502be6baf2c79
AgentTesla
80df1e272fd2703ce0da68500e5388fbc46aaf860db90a54ed4ea5a38fb962df
AgentTesla
8cabb06c5a7c81e3d0db9d97d7093bfbc6f398ec5f3ef49fbcd191afb22b3550
AgentTesla
+ 1'520 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251003-kzn5vaywex/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/1367e387-f0e3-4581-ad5f-6e6b2cacb488
Unpacked files
SH256 hash:
2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145
MD5 hash:
ce921c9fac365ff27d186669a3ee8f64
SHA1 hash:
e773e7a4289a8ee16edb16e343498678375c7192
Link:
https://www.unpac.me/results/e02d4439-113d-4775-b9f7-99cdf022de3d/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b5f0b503296/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RC6_Constants
Create hunting rule
Author:chort (@chort0)
Description:Look for RC6 magic constants in binary
Reference:https://twitter.com/mikko/status/417620511397400576
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2b5f0b503296a0cdd046c13d95dcce62ae6f3dda1bbc7c493c7208645c720145

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30003/

Comments