MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 21 File information Comments

SHA256 hash:	00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771
SHA3-384 hash:	f2c9318a469a316b547e51a48b7f4fca852c558ff4ea18a3cd76c82d9b1ccfcfd010ac8d4d5db7ebd2fc8871f94e2729
SHA1 hash:	f2042883f706a530d066dd543182b7b87cdff53c
MD5 hash:	a55aadde092c1865f890959271b8f9d5
humanhash:	moon-cold-papa-kentucky
File name:	00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'469'440 bytes
First seen:	2025-07-31 11:39:29 UTC
Last seen:	2025-07-31 11:54:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Flv/tnIpTdOlzAVRa9YVQ+G0BRijs3RovcaoQrgDdFlDhBT:Fl3tIr66pVBRi+BXDdFlDPT
Threatray	4'049 similar samples on MalwareBazaar
TLSH	T1B665CF45E2C9EC8AE01B2271983CF534255EF759A27BCD5A2A19B87961B33837017F0F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	d480aa8e96968ed8 (20 x AgentTesla, 15 x SnakeKeylogger, 13 x MassLogger)
Reporter	JAMESWT_WT
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771

Verdict:

Malicious activity

Analysis date:

2025-07-31 12:05:40 UTC

Tags:

auto-startup evasion stealer ultravnc rmm-tool agenttesla

Link:

https://app.any.run/tasks/bfbfa18f-9a7d-4dae-a005-cc51d9934c27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/18027/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688b562caf3050dc8d32b42c

Tags:

autorun virus micro msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Launching a service

Creating a window

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/688b5632a16348d835f5b2ff/reports/865201ab-069b-469f-8add-124f3f396468/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d87faff-f54d-4ec6-8d8c-ee22d3518c72

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.25 Win 32 Exe x86

Link:

https://app.malva.re/file/a55aadde092c1865f890959271b8f9d5

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2025-04-03 01:05:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=adlwwbvf7gt5epd7y6gj7a5qrwcojkfij2g2bkcs5qhwyxtf45yq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

bbadbf3fdbbf1e1d3b0990bbd18ab566cc3028538d4fab8981d0f8505d44349a

AgentTesla

c874cb6f884dfcc3a814adc657b2c2226857100f696bd6e08b85c7fa9c2c77c4

AgentTesla

f888c4770bbbbcad15c357d6731ff8f5afd7e62e4c35652f3dc3ede6c36b66e9

AgentTesla

+ 4'039 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250731-ns3w7swjx8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Drops startup file

AgentTesla

Agenttesla family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2cfd5fc0-84ac-4745-b939-8b9f57983dee

Unpacked files

SH256 hash:

00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771

MD5 hash:

a55aadde092c1865f890959271b8f9d5

SHA1 hash:

f2042883f706a530d066dd543182b7b87cdff53c

Link:

https://www.unpac.me/results/5d04a0ea-dd56-4d4f-9f97-25d6e3c20821/

SH256 hash:

92d58fcc37b9ec3e6c1315339a046a93c4f5fc99688172f71e6f6e4884b97481

MD5 hash:

cf86b8c3ef9d8503751eb74c61bb33c4

SHA1 hash:

150f6ed94bd3308aafd189c148c3864e9715c160

Link:

https://www.unpac.me/results/5d04a0ea-dd56-4d4f-9f97-25d6e3c20821/

SH256 hash:

d91a91ec6b0a43fc21bc8da5099a969e3d4e6d3c3056d3bfc50177f57585f741

MD5 hash:

550dad1b8b60bcfa3a4ce8611ecd1ef8

SHA1 hash:

18e87587112de4724ee30564ceb5ddf126db0f9f

Link:

https://www.unpac.me/results/5d04a0ea-dd56-4d4f-9f97-25d6e3c20821/

SH256 hash:

a26c0c5b9769a3a2901e3cc8753f5d76e24fd9ef7ef9609f8dc229ff1a533ff9

MD5 hash:

4fb034fd1afc85ef846f05772a007657

SHA1 hash:

1d17205a2fe13d54d1f1be078847f01330b9c3a0

Link:

https://www.unpac.me/results/5d04a0ea-dd56-4d4f-9f97-25d6e3c20821/

SH256 hash:

9f278aa2f85b03974a640446d0605c39c23cebc0efe78d4dbec3297ac1c2149b

MD5 hash:

856458b3cafb49e15d9d4b7e9763ffd4

SHA1 hash:

3def092eabc842862ca4194d9781fa589df418f7

Detections:

win_agent_tesla_g2

AgentTesla

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/5d04a0ea-dd56-4d4f-9f97-25d6e3c20821/

Parent samples :

6c18d7057ece3ae1524782a51f4dfa5589128b5a4c695cf1d3b9f1b95169cc4d
1736cd52fdc1deacedeac1de86d461ceb01c476e307520762b74b67ca8fa4b4b
cc7ca4eb1a90642066ef9697165ceb0a12cb5b8498a198cbed5524cab5974e74
7df1b33f35a3ca87f9242153c847cc0d8e1d45c7e3b5c5ecf9f23bddbf94b052
d71f85d32dd19dd5a0c5ad3b97c3eba3277a5966035970a2c9ea7dd8e23fafa3
372ef724cb2ba60abccfa7f0ac12e571059a3b28620a54a97a163a9b5a7205f8
59eced24086396408057708d32f922904341fca0cbd41884dc8e7359c3f50327
37c09235f5b6487dfc9689210d35b039a3ab2e74426c4284e4c7119269bc9104
a0b93473fe0aa4e5df49542aea136c8b037d85e4bae90eb5f55922e18ce6b804
720264d1cb886a1fa9bb5f807acf3677a82701e8e0fc25e65d03252bb7c8f69f
0ca149e59a526c1811fcac3c14943acdbc43a3261af653670bc9e71436b1fc32
df52744df9ff4bd8dfb0b6e6e86f94d1d885caba0f2deb2f8a429978b475508a
6be1f66c2715c6e4e9e535375607880080dd5a110326e80418d224b129aa50e2
2a64d3212309da646f5ef8210f6b8966c7a63ce82cb5bbd3c03838dd296badcf
4a7ce095400f7f3f613c9ea581084cb7756874d13301030b8955611a408dc312
357f7d8ce29a87629b8d9ab9230362cca864c3bb6a010e783290838d405626cb
f888c4770bbbbcad15c357d6731ff8f5afd7e62e4c35652f3dc3ede6c36b66e9
bbadbf3fdbbf1e1d3b0990bbd18ab566cc3028538d4fab8981d0f8505d44349a
2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e
e4bc932751053ca7710ced80639899db651a4addacf9c05811c0e8ab1842eb66
81bf08f12cdd41902982c5bfb43b2ebcc327a47e24d8d17a085349081138c1f7
489c3b4e65ec46019d1b57f2485c8862d3904e85994280a41d5271903386f07f
70a576a39497248cdc4e1510b0b210abc5c4fbc702fe00f69d4ed1f6f50ce7f8
ec81c38ff89da4f91aff94a7ae635adef1e8a4eb07f6ee5eb3f1908e33fb1a19
4aa035616ed50d2ca3d86455ef14e5c306d072b3942d25ce570b519b0cb142d6
00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771
0e4a730c64635bfe562af7d6e8c8fbea0e61a81780c2a3b9b562c550db5017ba
f5cd003d079d427c2ffb80fd91788083b66b624a2ead6ee8a2963a8f93b0707b

SH256 hash:

58ababa3b3d3b2ade25643e6335d5f4308346da4a60ab60b1ddeb21f2774052a

MD5 hash:

66199e9f66be67860f2728a54768c8a5

SHA1 hash:

ceaec58ad48c3e1b910284a08feaa4166d2b5698

Link:

https://www.unpac.me/results/5d04a0ea-dd56-4d4f-9f97-25d6e3c20821/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/00d76b06a5f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	agentesla Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked agenttesla malware samples.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18027/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample