MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff
SHA3-384 hash:	abb667c585a9193fe31401be4d39fe9fb379fef2a18f995cecde7866b32af5fa49c5f3f9811abc1288289c6a7a1007c9
SHA1 hash:	7906812720cda461a185b1dcbbc831a7f2c52158
MD5 hash:	94cca701d5aee78f9d8c029c9b3b1664
humanhash:	georgia-magazine-mike-arkansas
File name:	6Kv1C4MS24fVFPcc.js
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	324'136 bytes
First seen:	2026-04-09 07:21:05 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	6144:dxQoAjEjJXHeX3rLUb0rLAgl8DOUvMPQ5IoQLfK44OdYjvKzlL:39Z6Ub2jl87Qm7wff4U7
TLSH	T11E64E004F6FC1018F2B26F4968F429B24937BE622D1EA8FE16285D5D0BB2544DC7673B
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	vba
Reporter	abuse_ch
Tags:	AgentTesla js

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

116

Origin country :

SE

Vendor Threat Intelligence

ACCE Unknown

No detections

ClamAV Detected

Detection(s):

SecuriteInfo.com.JS.Starter.147.4116.8624.UNOFFICIAL

Alert

Create hunting rule

CyberFortress Malicious

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d7537266ab6d001dd082cd

Tags:

virus shell agent

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

exploit repaired

Link:

https://www.filescan.io/uploads/69d753695ea31bc68a1a76b1/reports/6067b4a5-6a68-4af2-8c67-5643ed827416/overview

Hybrid Analysis HEUR_Trojan_Script_Generic

Verdict:

Malicious

Labled as:

HEUR_Trojan_Script_Generic

Link:

https://www.hybrid-analysis.com/sample/20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff

Kaspersky OpenTIP Malicious

Verdict:

Malicious

File Type:

js

First seen:

2026-04-07T03:10:00Z UTC

Last seen:

2026-04-11T03:57:00Z UTC

Hits:

~1000

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff/results?tab=lookup

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1895763

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Found malware configuration

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Yara detected AgentTesla

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Benign

Score:

6%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff

Malva.RE

Gathering data

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff/

Neiki Family.AGENTTESLA

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff

ReversingLabs TitaniumCloud Script-JS.Spyware.Negasteal

Threat name:

Script-JS.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2026-04-07 09:48:14 UTC

File Type:

Text (JavaScript)

AV detection:

8 of 24 (33.33%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ecwwjufk3tnmmah4xxbgd4wvxiwmj3zspyck425gl3izgkaint7q._file

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla execution keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/260409-h6seqscy3s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Checks computer location settings

Registers new Windows logon scripts automatically executed at logon.

Badlisted process makes network request

AgentTesla

Agenttesla family

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20ad64d0aadcdac600fcbdc261f2d5ba2cc4ef327e04ae6ba65ed19328086cff