MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f
SHA3-384 hash: 02914b9f03dd3248d566f3216f64b24ce56780295ffa8a1cf80f8a40ccfaf9c3951cd586e7a36f3876bedd1ce3074d98
SHA1 hash: 7f9782e08f5472f712aa5a58739b0188cdad9dc8
MD5 hash: 3b487c2b51d0701530f933af8b476546
humanhash: utah-stream-bacon-robert
File name:Orden de compra.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:852'480 bytes
First seen:2025-11-24 14:41:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:f0+niZcstO5Lkq6C06MNfK6gUSMHuonxx9Wh9ENJcaIkqGPiNzE7:7niZcstwoCiI6N7xS92JIfFNz
Threatray 31 similar samples on MalwareBazaar
TLSH T1B105CE3223E85B95F4BF9B38943554008BF1BD16DB23EB5E7D9850ED1931B80CA66B23
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Orden de compra.PDF.exe
Verdict:
No threats detected
Analysis date:
2025-11-24 14:41:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8c5cafd5-6d72-4391-823e-99e39347dbd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41297/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69246ef6587b4206e7f278bb
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla base64 crypt infostealer masquerade obfuscated obfuscated stealer vbnet
Link:
https://www.filescan.io/uploads/69246ededeea95d50b257943/reports/3132a77b-e307-409d-b145-41ce065c43bf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-19T08:59:00Z UTC
Last seen:
2025-11-25T07:19:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Inject.gen VHO:Backdoor.Win32.Agent.gen Trojan.MSIL.Inject.b PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.DarkCloud.gen Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Agensla.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan-PSW.MSIL.Agensla.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.c Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.g Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ae9f2b25-aebf-4c2d-a5ff-58e1a8091772
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/3b487c2b51d0701530f933af8b476546
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f/
Verdict:
Malicious
Threat:
Trojan-PSW.MSIL.Inject
Link:
https://tip.neiki.dev/file/0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f
Threat name:
Win32.Trojan.InfostealerTesla
Create hunting rule
Status:
Malicious
First seen:
2025-11-19 16:29:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5wtx2v7m3aufgnzs4oy53m5qgjycetqe5mbedog76cyw2rlymhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
8989c105f6a548982cbf744de60417d0d3137e2559335e43ba0ea1355b93b163
AgentTesla
938d90bf1bb3fcb3c7352990f0c05603b0208bee21b6e3d02b5f0cab97f7f35d
AgentTesla
d6be3636790bf843b8ea28594aaf894861e5beb00d53ef17480981149d7009c2
AgentTesla
d6fc5f9611c4d44858277a1c792ef65f864b0933a5abd3ed0d209714a8be6aaa
AgentTesla
d98a372deb31439799f2cfdf7a8a0421d71d8c6dc9a2144ba7bcc6894c14f5b2
AgentTesla
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251124-r3hwkagj6z/
Behaviour
System Location Discovery: System Language Discovery
.NET Reactor proctector
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f6ac15dd-e422-4e25-b1e0-1b9c4666a4b9
Unpacked files
SH256 hash:
0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f
MD5 hash:
3b487c2b51d0701530f933af8b476546
SHA1 hash:
7f9782e08f5472f712aa5a58739b0188cdad9dc8
Link:
https://www.unpac.me/results/726b2a3a-5466-4375-87b3-7c92602256e0/
SH256 hash:
ec6631dabca71cb53c05587abf63522606a985f3513928083f39c8d66551700d
MD5 hash:
99d8be71522731ad423d81b43c773f7b
SHA1 hash:
be786b0bb35b3f4403d3cd1a53b464f6ac0cc58f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/726b2a3a-5466-4375-87b3-7c92602256e0/
Parent samples :
60a26437468391932cb6d87b57e7ab89f22ffabe4bb199a5cc7ecbe1fa931f71
a56e10d246a4738546db98052e93096eed2e6ccea1688e3976e8e053aaa0b3d0
17e58d32c3edba5a27fc78a38c63206d312811794e694c108fe77e1f74ecfc57
c0141e9acfac5a67dcd3a794c24ab41dfb379f14e3c1931771c9a7e98e3f12ea
0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 0f6d3beabf66c14299b9971d8eed9d81938112702758120dc6ff858b6a2bc30f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41297/

Comments