MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 23 File information Comments

SHA256 hash:	24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31
SHA3-384 hash:	0766181498776c520b0b98c077b54de4b38b793bc6bc6974bfbc1d2c537253b5962e868b0087bf339d6548a83b384ab0
SHA1 hash:	e606c87d57459e555c2b746c12d7c21ee3b4e6a3
MD5 hash:	b7bfc5ffc70f0350a3698c3089422baf
humanhash:	texas-india-juliet-london
File name:	stein.ps1
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'456'436 bytes
First seen:	2025-10-21 10:24:36 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	24576:5uMj1RkR3K3KkGzUy4YhHA9UH2EYzfBfvfL87+OdU+yG7vHliA+ekeGYHI0TfIMh:s
Threatray	3'759 similar samples on MalwareBazaar
TLSH	T1F365BFB875047DE6267F576BDA96ADDC03A617239ACBA4CC807477C305A3376FE02809
Magika	powershell
Reporter	ShadowOpCode
Tags:	213-209-157-234 AgentTesla ftp-haliza-com-my ps1

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f75f743edd081eba4053ed

Tags:

vmdetect lien

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm aspnet_compiler base64 evasive krypt lolbin obfuscated reconnaissance

Link:

https://www.filescan.io/uploads/68f75fbcfd2d7e012f4bd8c6/reports/788d1357-c18b-4eb7-a369-b3d30e2e6524/overview

Verdict:

Suspicious

Labled as:

PowerShell/Agent.DKT trojan

Link:

https://www.hybrid-analysis.com/sample/24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31

Verdict:

Malicious

File Type:

ps1

First seen:

2025-10-21T06:41:00Z UTC

Last seen:

2025-10-21T08:30:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Generic Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Agensla.TCP.C&C Trojan.PowerShell.Agent.sb NetTool.PlainTextCredentials.FTP.C&C

Link:

https://opentip.kaspersky.com/24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31/results?tab=lookup

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

PowerShell

Link:

https://app.malva.re/file/b7bfc5ffc70f0350a3698c3089422baf

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=es35kqcwpladpo4d5if7jbncne2m73zbdari53ktphapossfl4yq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

b383708f5ec6df8f7283f935c174c7ecd60585bb9535d860de3d7474225f4f76

AgentTesla

bfb9d8972b74d7da5ff27187a9faed4f6fbe6a835213ebb93ceabc15d88ef24e

AgentTesla

e0f52364d201db85deb89dc64581f14305d5f2ce72295a300a1a399947182fe4

AgentTesla

error

AgentTesla

+ 3'749 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/251021-mf4sasak91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

AgentTesla

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV2 Create hunting rule
Author:	ditekshen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Generic_Threat_808f680e Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

ps1 24b7d540567ac037bb83ea0bf485a26934cfef2118228eed5379c0f74a455f31

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3682323/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample