MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07a75cdd85c71401db2a2113bf4f1745a1f14b245bce04ee14b5627b1a1f3dbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07a75cdd85c71401db2a2113bf4f1745a1f14b245bce04ee14b5627b1a1f3dbc
SHA3-384 hash: 892af015295068804f3d2fed99a99911d6b3b974d512fe67cb4e6bf1fac41bf859ef44cfb339781242efc3e8e3aff971
SHA1 hash: d8bf98e2cfb418510e0f499d12798911a9567428
MD5 hash: a47fbe57a8b06fd09c51de09510ab0a5
humanhash: lamp-idaho-equal-eighteen
File name:PO-04-25-8093.js
Download: download sample
Signature AgentTesla
Create hunting rule
File size:124'480 bytes
First seen:2025-05-13 08:16:01 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:3nqfnBznKhqTnBznInqMnBdnInqgn0bn/nnHPnFnnClTnin0hn/lTnTnBdnSnqi/:RKkcLEiFubv
Threatray 3'321 similar samples on MalwareBazaar
TLSH T1E4C35AEC5E5AA1CEF218E7B68F0155A8A5282C149372CFD97B3DD8D28D1E1E79E01C43
Magika javascript
Reporter abuse_ch
Tags:AgentTesla js

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.15661.14072.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682300a1e16384d6a7040117
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/6822ffd6d95f3e34e9680765/reports/afd0e4a3-7fdf-4a03-8b81-32827e18e758/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Link:
https://www.hybrid-analysis.com/sample/07a75cdd85c71401db2a2113bf4f1745a1f14b245bce04ee14b5627b1a1f3dbc
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1688700
Signature
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found Tor onion address
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: MSBuild connects to smtp port
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1688700 Sample: PO-04-25-8093.js Startdate: 13/05/2025 Architecture: WINDOWS Score: 100 26 pub-ee582455809e427681c0d15d9645b5cc.r2.dev 2->26 28 mail.detarcoopmedical.com 2->28 30 7 other IPs or domains 2->30 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 17 other signatures 2->60 8 wscript.exe 1 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 62 JScript performs obfuscated calls to suspicious functions 8->62 64 Suspicious powershell command line found 8->64 66 Wscript starts Powershell (via cmd or directly) 8->66 68 2 other signatures 8->68 14 powershell.exe 14 15 8->14         started        36 127.0.0.1 unknown unknown 11->36 signatures6 process7 dnsIp8 38 ia800801.us.archive.org 207.241.230.81, 443, 49686 INTERNET-ARCHIVEUS United States 14->38 40 pub-ee582455809e427681c0d15d9645b5cc.r2.dev 162.159.140.237, 443, 49687 CLOUDFLARENETUS United States 14->40 42 archive.org 207.241.224.2, 443, 49685 INTERNET-ARCHIVEUS United States 14->42 70 Found Tor onion address 14->70 72 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->72 74 Writes to foreign memory regions 14->74 76 Injects a PE file into a foreign processes 14->76 18 MSBuild.exe 14->18         started        21 MSBuild.exe 15 2 14->21         started        24 conhost.exe 14->24         started        signatures9 process10 dnsIp11 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->46 48 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->48 32 detarcoopmedical.com 161.97.124.96, 49694, 49697, 587 CONTABODE United States 21->32 34 ip-api.com 208.95.112.1, 49688, 80 TUT-ASUS United States 21->34 50 Tries to steal Mail credentials (via file / registry access) 21->50 52 Tries to harvest and steal browser information (history, passwords, etc) 21->52 signatures12
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/07a75cdd85c71401db2a2113bf4f1745a1f14b245bce04ee14b5627b1a1f3dbc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07a75cdd85c71401db2a2113bf4f1745a1f14b245bce04ee14b5627b1a1f3dbc/
Threat name:
Script-JS.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-05-13 08:16:24 UTC
File Type:
Text (JavaScript)
AV detection:
11 of 37 (29.73%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a6tvzxmfy4kadwzkeej36tyxiwq7cszelphaj3quwvrhwgq7hw6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
36714617ab3acacb11df096fb64e7ced344b241ebfdd501a60077c931c89577a
AgentTesla
46bd635e26e21146d449e2032e7771614808a77c315c5d9478067ed9d6d6af2a
AgentTesla
4bb1c774d92416f89b1efabbe3e96ce92343942c399b41945c0d5f5fcd0a2f64
AgentTesla
61d6d15b22aed7572cca9b5785f07f02eec562a4142c2fb8605dabc89d7710b5
AgentTesla
7c9332df56fc0061fc832475af43d1c94636a5f8710011b3952dc98716f20899
AgentTesla
b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84
AgentTesla
c35922ffe621f1719e7346a3fa7ba779766c44481ed2ad785782cc7bf693376c
AgentTesla
cb859f68816f0ced3b81286af4c046aee24df83455e5bccef39d6d1f818cf95f
AgentTesla
cda178767af65f18a4cca8c662edf67f46a7acb018479cb5dc378194a3300148
AgentTesla
error
AgentTesla
+ 3'311 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250513-j6aqcsgl6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07a75cdd85c71401db2a2113bf4f1745a1f14b245bce04ee14b5627b1a1f3dbc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments