MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 21 File information Comments

SHA256 hash:	13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528
SHA3-384 hash:	4d336ece5c374dfbab2b3565b2fec7ea7a4ae82ea4f916a22337f89c60e3da0f9be2fcc6526cc2bfd36f8ef40921a972
SHA1 hash:	5ea386a53b0245f81c439f99db518ec176395dd0
MD5 hash:	21f9d9bc40e7c86b2c93f2f05ec1616f
humanhash:	ink-double-october-cup
File name:	Ödeme Bilgileri.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	662'528 bytes
First seen:	2025-10-11 06:07:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:Lf9PcZckVgRxbypDEj+Egjbpy3YHHO0sysOVwhYzS1IMUve+vdz:LfVc2uiQs+EKFYYnrsyNehYm1IkEd
Threatray	3'812 similar samples on MalwareBazaar
TLSH	T19BE4234D7742B75AC74CCBBAC502D42406E35A28E375F2FC29DD18B35F79681C88AAD2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	AgentTesla de-pumped exe

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ãdeme Bilgileri.exe

Verdict:

No threats detected

Analysis date:

2025-10-11 06:08:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c3e63147-2172-4640-a593-837b3c9ff5b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/32398/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e9f431777ae46bec4162f2

Tags:

spawn shell micro lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68e9f43974d89de012b4d8e9/reports/1669756b-35f1-4c81-ab44-aeacb9283310/overview

Verdict:

Malicious

Labled as:

Application.MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-11T03:16:00Z UTC

Last seen:

2025-10-12T10:42:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agent.sb Trojan-PSW.MSIL.Agensla.g Trojan-PSW.MSIL.Agensla.d Trojan.MSIL.Crypt.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528/results?tab=lookup

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/39ba3eea-8d57-4aa1-9d0b-d5b360abf70e

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1793268

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.34 Win 32 Exe x86

Link:

https://app.malva.re/file/21f9d9bc40e7c86b2c93f2f05ec1616f

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-11 06:11:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmeevvxc66iwmkfyqoevqbpva767ggdxhw6ggixi4dfnj3yk6uua._file

Verdict:

malicious

Label(s):

agenttesla

unc_loader_037

AgentTesla

4a974b7fb576b2183acefabf17ef453bd4503e5d25e8e5853d56b9c8a9a8c3ff

AgentTesla

5bc7a6540ac5984e13ac22b807a4724986bb179f9bcf81cab987cfab8e155d3c

AgentTesla

6ea4db068135afc1c4b04d0942b9352405623cb8bf2a6d9a5fc3c4c04bb0cc28

AgentTesla

8cb40cc9efa7f66d24c1af3ef4779f7a177ac50c1131f2e840633c1ad8f45b99

AgentTesla

error

AgentTesla

fe4a2ca725dbd1fe619d5c621751774d86fed32f112acf38f3b7c48fbe23d31a

AgentTesla

+ 3'802 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/251011-gvr46axmt3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2a71fc6c-ceb0-4207-99d4-8ab3bc2745ab

Unpacked files

SH256 hash:

13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

MD5 hash:

21f9d9bc40e7c86b2c93f2f05ec1616f

SHA1 hash:

5ea386a53b0245f81c439f99db518ec176395dd0

Link:

https://www.unpac.me/results/ef1b0146-5588-460b-929e-917ec1832a14/

SH256 hash:

868f9844cd6f0ea25b1115f509044f21f71a787afe9b706eb44c11f4942cb563

MD5 hash:

55786c675054c44592975b5fa7f643fb

SHA1 hash:

851f36ec99a212528ee1d5070af0907aaa05c483

Link:

https://www.unpac.me/results/ef1b0146-5588-460b-929e-917ec1832a14/

SH256 hash:

c8210bbbf6aa8c07fb6c179afcef183939b5f6d0711093ae35651484eb173cb5

MD5 hash:

bb42fac483abc3458d54f7dcdb1ef06c

SHA1 hash:

89fbc53cd0f8fb0f17c50ceab6cc7bd7e5e8f693

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ef1b0146-5588-460b-929e-917ec1832a14/

Parent samples :

b84eb436887c2b7f96db92f66cfbc6cbdac628a30ecca6d16eb0fbe229aecab6
13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

SH256 hash:

4fdd91d5399c8fe6bee9c6345f376cce4bb2a79050637bacb67847dbcf829fd3

MD5 hash:

415baf1a6528448c601a5521c20c26fb

SHA1 hash:

b336b26a3cc5ea48872cfa41c111d63560a830a3

Detections:

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/ef1b0146-5588-460b-929e-917ec1832a14/

Parent samples :

fe4a2ca725dbd1fe619d5c621751774d86fed32f112acf38f3b7c48fbe23d31a
3b34d7190c6169983a9acbe191c1aef937600c3818f0fd8be3a63bd96b3bbebf
b84eb436887c2b7f96db92f66cfbc6cbdac628a30ecca6d16eb0fbe229aecab6
13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/13084ad6e2f7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13084ad6e2f7916628b883895805f507fdf318773dbc6322e8e0cad4ef0af528

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla