MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f
SHA3-384 hash: 98c29d46dd1ab7121cad556097205c8fd0c6edab98e623353e368c7dd21dd405a30a2698298a48bc83f8c7e8a6f7ff6f
SHA1 hash: 7d90d12d88550d41428163946b7ae90243e32b2e
MD5 hash: 7e439c44d58bde9c7875928494ce7d06
humanhash: early-failed-tennis-island
File name:SecuriteInfo.com.Win32.MalwareX-gen.19911.19708
Download: download sample
Signature AgentTesla
Create hunting rule
File size:700'928 bytes
First seen:2025-05-15 19:42:34 UTC
Last seen:2025-05-15 20:16:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:9l3PF9YCnOZ5BHoxfKQ+Y3QzFbAOQsQnrwHP+uvannODj:bF9Rm5BIBKQ+qtOQsvvTanODj
Threatray 8 similar samples on MalwareBazaar
TLSH T1B9E47A8463E84548FABFAF7540B4A5454B76F847D93AE35D26C0A0EE1D33B92DC20B63
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
527
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.19911.19708
Verdict:
Malicious activity
Analysis date:
2025-05-15 19:44:50 UTC
Tags:
httpdebugger tool stealer evasion ftp agenttesla exfiltration
Link:
https://app.any.run/tasks/30e690f9-23f4-4d8a-aa25-c8d89a4e97e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.19911.19708.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682644a5e16384d6a704d2f0
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 lolbin obfuscated obfuscated reconnaissance remote vbnet
Link:
https://www.filescan.io/uploads/682643cdc609634bd7c44663/reports/708e2a49-c933-4791-8f85-0fa6db4b6ea1/overview
Verdict:
Malicious
Labled as:
MSIL/GenKryptik_AGeneric.BCI trojan
Link:
https://www.hybrid-analysis.com/sample/26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2e6c40e1-0b8e-4073-ba23-f27c92390863
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1691151
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-05-15 06:23:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
25 of 37 (67.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2ygnkmx5sr3pmenbbizi5hvgbxhae46yfmffbb5b4i5utjzmwhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
322c2f6753a320e174fd437679d7879685922b9cb8fdf01149be9beec3fea14a
AgentTesla
6af49952b9691e790468c76b58c2675bfd79d6209ff9c2b2cd607af1f73b8fe4
AgentTesla
76cf1faf704723b1c79e68db104409fb5dc8a9a76afa88dce72f6e91d3c073de
AgentTesla
b0c2a05ff2f9cbc23d083b0171d157d42b890f89c8cb9d2c7e5475c6e1ffd468
AgentTesla
dc032be1c81bf6149441b83be4bc12b8cef20255ec60f49e5778968c8004674c
AgentTesla
error
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250515-yfcjla1wbw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1cb2739d-dc21-409a-b4b9-4bcabc5b2c0c
Unpacked files
SH256 hash:
26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f
MD5 hash:
7e439c44d58bde9c7875928494ce7d06
SHA1 hash:
7d90d12d88550d41428163946b7ae90243e32b2e
Link:
https://www.unpac.me/results/8e39d415-f125-4bfc-80c9-8e2f676e0570/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26b066a997ec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 26b066a997eca3b7b08d08519474f5306e70139ec15852843d0f11da4d39658f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3544187/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments