MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
SHA3-384 hash: 6211d6171813981cb256e87d4b44cdbf8239ba785412cf6d844678326dfde8bae8dc4e9217d910977a0f381d3f0eb779
SHA1 hash: 091b5b4c9d31b42687ecabd0e6854821f174f013
MD5 hash: 82514ae9aa8d8761e440385927eb25fc
humanhash: five-avocado-one-carolina
File name:1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
Download: download sample
Signature AgentTesla
Create hunting rule
File size:675'840 bytes
First seen:2025-09-05 13:02:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:bHN/thRo+lHNI8LtDW2i/vsUGf+58Tv5LsgsvGrRpSL9PAhan2:L7XRNIyNW2wGf+U4gsvGM9
Threatray 979 similar samples on MalwareBazaar
TLSH T1E9E4025022DAD405E1F63F7429B1E3B947BBBD8DB930C31A57E46DAF3E26B4198103A1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b_21082025_0236_20082025_doc18082025_71882762_27736677262-pdf.xz
Verdict:
No threats detected
Analysis date:
2025-08-21 03:32:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50ad8554-7e86-47a3-bec6-2708393bfd34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25546/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68badf84eb163e0ec1848150
Tags:
shell virus lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68baea3c20d0ee406d96b75e/reports/8be60c15-e4d1-498a-9dff-d16f1830bd9a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-20T04:34:00Z UTC
Last seen:
2025-08-20T04:34:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/13b11641-8937-43a7-b163-be461c39a042
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/82514ae9aa8d8761e440385927eb25fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 08:20:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3ef7saj6bszu2ynl3ewgyhlcz7to6rpgykywejngql3rkriy3jq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
33912e2315c6ce788cc44e678aeca8d5e0741d8e0d5c3f4868ef4acd8b71a523
AgentTesla
649243059c52a8eec583ec9e6334aba54c59dcddf41a78a9ca836be6e6727f67
AgentTesla
96b5f548190e75840e623792ee01e9561d1f88a89c6fdce734a6cc9a038523ea
AgentTesla
cc1b38c4aa79c03c777b0d99c9ae67fef380572e36f0744d110c18137ce9f3dd
AgentTesla
+ 969 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250905-q4bcfaxm17/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4e8adb7-0396-47d4-8fc6-d7120035d475
Unpacked files
SH256 hash:
1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
MD5 hash:
82514ae9aa8d8761e440385927eb25fc
SHA1 hash:
091b5b4c9d31b42687ecabd0e6854821f174f013
Link:
https://www.unpac.me/results/9b6dca49-2c0b-42df-b6b8-97c4c822df5f/
SH256 hash:
ef428a376f86f7a54b8b41ffdde0e45a5f123da11def5ffa754a502b90d11ecb
MD5 hash:
7862a5ab80a981c81bcad291436d5f5a
SHA1 hash:
64b8c8bec34a28394006baf98c75bcaf31b6d8c0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9b6dca49-2c0b-42df-b6b8-97c4c822df5f/
SH256 hash:
79a5aaac2b0b3ed87c0b5e6ad0522823e813a266743a34a9cecc63e6c9d7ab14
MD5 hash:
2d35a6486c5c5acd42466f87ba0df509
SHA1 hash:
a188bec4d270043b705f0918c8e5d8b4daa94ed1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/9b6dca49-2c0b-42df-b6b8-97c4c822df5f/
Parent samples :
cc1b38c4aa79c03c777b0d99c9ae67fef380572e36f0744d110c18137ce9f3dd
3437dcba37836ce6f8964000868d8b0728e5dcb25d8bf7421828bd1ba5e6b506
2a8a729d0e203b203a53c0b4ab591ef3aa3eb0fd45972297a2b597404ecef986
168eb588a4e2f648bb92bec333cbd6a68e2de589a9d804f07933953a4ffc4d1b
62f63b180fc726bb6d54ecba4b3edb4436e2442953b07aea87c0e60cf057417f
eb2355578fd4ca8325b848618aa1e062b72e13aa38d4bd3fdd57beeac2dd34e2
1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
0003037c7818733557d04c87095ece05f43dce9f2b571d82ba633181956132a2
45c64c04137dbd68881ec07852bf10e7c491f504e1f78247b1217114cab47d3e
2b487f0335ba1979c655567bfeac93da05f0536374da8d625401f5ac5c33abb8
SH256 hash:
f61be0bd1fff1d218d5a74306848726e789b6d8c65f55724ec7904eeaeffd761
MD5 hash:
719270e620cc20fd2b7d3e874da50a82
SHA1 hash:
b48990989ebf47cd8265f8e450d9126fdbea5482
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/9b6dca49-2c0b-42df-b6b8-97c4c822df5f/
Parent samples :
344be2ed196b4a682ecfecbd49caa628e125702271d7bfb16ac401aa1e0ebae9
0f35ba4092a1137650826b2cd0eff36eeb58a51c09fb1210199948a2b03a48f3
3ae52f38b463fa450629da184d223a27e5002f72f83e98d584ea3034511d0427
5ee74602fdef3846c56f40f16231b576112c9169dc27a6cd2d5550035b358fa1
37fc883dc7dca2f74947e57ef839c8a2349330ea9e32cb3445f76ebc3c901741
3da3b1bc37004b4857d1f3afe3f740fe449bb441070d314dbbca2b5da674654e
e652137d75dc278b1867671a62661276100afd0e3f7d62ed07b6bc27e5a1277f
a1a9a1eb021b4358e6585bd24332ec331ab91973b4286eee6f82f778997bfc33
afafe9eb66c81266d5fc9353912a06f148afc49324605da77250642c9358afa2
6f7ec2c8d3c0ef2d5d4e5ea824c0af4264cd08aa0580f04499df5e4b69bc8066
24e06184fc1bf5b257407c973ab141ea9b4b4ae88e8bf2ba2231f20539491b0f
026f6b81acb81bef3b445c2f1adcd6d6f747942ea61c28be6cc007cb3fa297ce
2f202930f8eeacaa4c09b516511f28c60294351aa61e499af19112d7f17f7794
d6d543741f22a6a4ccc7c66a73ddacbe7918818dd0717f004c3216e180e4da99
745fa2ad40de39e3a4e6d27d26099cd2d6158dfc96950bac409e6aa508a2b87b
3a304e9ea65b8025c9b9a2337757f1270f3274ade5dd97236cc3a445348264a3
331b4062e2bd91848560e3d76e2ad7f34fec3be595f3925f9eb45326085966e7
1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ec85fc809f0659a6b0d5ec96360eb167f377a2f36158b112d3417b8aa28c6d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25546/

Comments