MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
SHA3-384 hash: c07908155bdd775d05f5d3ee610cd9bffa1776ab3f87898b9dc0f7714cdd9468e875f166a5950f252a136664c9cbe6ec
SHA1 hash: d98355c477c555f9c9df420158fabfa79135038a
MD5 hash: fa19b78b109a6e4775f8415de3812559
humanhash: undress-carolina-bulldog-zebra
File name:227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
Download: download sample
Signature AgentTesla
Create hunting rule
File size:699'904 bytes
First seen:2025-12-08 16:09:49 UTC
Last seen:2026-01-09 15:22:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (77 x Formbook, 64 x AgentTesla, 32 x SnakeKeylogger)
ssdeep 12288:Dz7hU5I5yuNHIgzSFKxWltRohBfSTso93Uke8v/LHR5VTmXJVYNrdEQEKS:Df+iN57Gtene3/Lj1iXAEKS
Threatray 1'151 similar samples on MalwareBazaar
TLSH T1F2E4239156C16950D1607330C83ACCA45A387D729E56677ECB28F69FAC703C3AEB364E
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon aae2f3e38383b629 (2'645 x Formbook, 1'203 x CredentialFlusher, 914 x AgentTesla)
Reporter adrian__luca
Tags:AgentTesla exe UPX
File size (compressed) :699'904 bytes
File size (de-compressed) :1'206'784 bytes
Format:win32/pe
Unpacked file: c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
AutoIt PEPacker
Details
AutoIt
extracted scripts and files
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/2eda1a9d-fe24-47e1-a856-7b5b000cf58b/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
Verdict:
Malicious activity
Analysis date:
2025-12-09 06:48:10 UTC
Tags:
stealer ultravnc rmm-tool agenttesla netreactor
Link:
https://app.any.run/tasks/edb097eb-b4b9-4c76-aa3c-1e7605e1b0dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43864/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936f8f7db58e1a2c22b9ece
Tags:
virus lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Restart of the analyzed sample
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Changing a file
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-27T22:26:00Z UTC
Last seen:
2025-12-10T12:11:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
Verdict:
Malware
YARA:
5 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/fa19b78b109a6e4775f8415de3812559
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 04:02:55 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ej5eivx3afabmyyvfitp4nigszks3hulnaalbltub5srkn7vcisq._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
04192a8beaa2f78a1c4ab5764134930e49fe58b202f7ea99a2421809a12acee2
AgentTesla
061e7c16799ad41c3ca701ec1f4d06c7ad0c1c44e4c9bf4a57fd6eddb2ffa923
AgentTesla
1336a81d27c381bfaefd7d763b6c93d593f9c181fe97522b8248d520c6b0e2ff
AgentTesla
138e9d468f0f52509eb3c66fbe1a0a92c53ae8e191ad04bca76715e711979615
AgentTesla
6b734c88958bfe7447e6702844486156daf7a54cbd0a1cf9b7bfef98daadf519
AgentTesla
9a8fb5b27922f3d93f26b0592c7ca6f399097314c79388aeeba9c23b379ee868
AgentTesla
+ 1'141 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/251208-tmng8aznbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4984f2ed-20d2-49d8-9039-dff12d57f9c9
Unpacked files
SH256 hash:
c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153
MD5 hash:
4249b26282216381d5199522962a3e7b
SHA1 hash:
0adc40fcb0c95406c140b45c26a977cb95a3ec09
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/51445e98-70b2-46cf-944d-a76d01a3a947/
Parent samples :
227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153
SH256 hash:
b9cdf033d2f2a7e386eb33c1d5fadc9c8d282dac63e1ce7ee8f0af49df84d711
MD5 hash:
75fc4d819504b797d12b74f98c8124c2
SHA1 hash:
b928fe89c209c05c3c5ec95d57664e4889dc61e8
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/51445e98-70b2-46cf-944d-a76d01a3a947/
Parent samples :
227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153
SH256 hash:
a7c1da5486e91e8afd62833ab47c4c4d5d8097838353744433fe408144a5ad6b
MD5 hash:
f712b2c1865a3a118152452840a1ea11
SHA1 hash:
24cde43e6cd6bda14ca989d191c7c445993ab5a3
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
RedLine_Campaign_June2021
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/51445e98-70b2-46cf-944d-a76d01a3a947/
Parent samples :
227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153
SH256 hash:
86cb879164afb94ebf9be082856c06291258f99c5941794d7a2461f285eade26
MD5 hash:
923eb89ae76de1ec653b7d74ac98e347
SHA1 hash:
6146f37e8592ce96854c831995628e35f43cc5a6
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/51445e98-70b2-46cf-944d-a76d01a3a947/
Parent samples :
227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153
SH256 hash:
227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225
MD5 hash:
fa19b78b109a6e4775f8415de3812559
SHA1 hash:
d98355c477c555f9c9df420158fabfa79135038a
Link:
https://www.unpac.me/results/51445e98-70b2-46cf-944d-a76d01a3a947/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/227a4456fb01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:win_samsam_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

Executable exe 227a4456fb01401663152a26fe350696552d9e8b6800b0ae740f651537f51225

(this sample)

AgentTesla

Executable exe c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153

Cape
Cape
https://www.capesandbox.com/analysis/43864/
  
Dropping
SHA256 c51687fb524469a5e1cc2a67c2e43691decf8a844cc7827cfdf276da1f00f153
  
Dropping
MD5 4249b26282216381d5199522962a3e7b

Comments