MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 16

Intelligence 16 IOCs YARA 18 File information Comments

SHA256 hash:	2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e
SHA3-384 hash:	82531ebe821977fca355ba85e8f78489dc6624da2778a995e7982431dfb255ab55cd8e88ab29cd018b6f1d04958c2917
SHA1 hash:	8e5b38fb8ed5097467e17d9d280d721f0954c5b7
MD5 hash:	f4eee7ffba23cff37716d5ea864ccd4a
humanhash:	autumn-fix-queen-harry
File name:	2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'378'816 bytes
First seen:	2025-04-08 08:46:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Mi1ETGuEoOlUJApK+Oe0Lncrhxz/chSJMatc0MWWqYUJUJy5VH7cxbDv8X+0w+/q:BOGuEmYzoijsSJMucVVJJy5Bwx/v4ByT
TLSH	T1AE55BE45D2CDFD8AC00B1076987CF534295EF75AA277CD2A2A2AB53561A73833027F4E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
dhash icon	d480aa8e96968ed8 (20 x AgentTesla, 15 x SnakeKeylogger, 13 x MassLogger)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e

Verdict:

Malicious activity

Analysis date:

2025-04-08 15:14:41 UTC

Tags:

evasion stealer ultravnc rmm-tool purecrypter netreactor agenttesla

Link:

https://app.any.run/tasks/205e6aeb-caa9-438c-ace8-df60cc687317

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f4e3cde011fe619fad299d

Tags:

agenttesla autorun

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Launching a process

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Reading critical registry keys

Creating a window

Stealing user critical data

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/67f4e2972d430c849e0c897c/reports/9a546176-3271-453e-a332-1d2137243879/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72c9180a-e977-43bc-b66f-4a4ec357ee80

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1659328

Signature

.NET source code contains potential unpacker

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2025-03-28 05:03:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fue2n3ohqkm33s34ickooxzqum2pwpgfhktdkkpcfbrpt5ldwmxa._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250408-kp2cessl15/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Drops startup file

AgentTesla

Agenttesla family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/f36c18fa-f6dd-4da2-b8a9-45bc2f51b2df

Unpacked files

SH256 hash:

2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e

MD5 hash:

f4eee7ffba23cff37716d5ea864ccd4a

SHA1 hash:

8e5b38fb8ed5097467e17d9d280d721f0954c5b7

Link:

https://www.unpac.me/results/84c5eab1-1abd-48d0-bce5-7537a390f726/

SH256 hash:

3caf703e3d74756a9321a255f13bcef7f0b79499b73cc8ce70d625eeae9f47b9

MD5 hash:

3a52292023b73662701e74c1f8d393a5

SHA1 hash:

3ca46520497a4db17b753d89670919fcdff09540

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/84c5eab1-1abd-48d0-bce5-7537a390f726/

SH256 hash:

51eb83788fbb8d59473030cd09c67efb375caddc228590a4a188ecc7a0f6f73d

MD5 hash:

9d2d0b346f13017e75a904ab1de3d948

SHA1 hash:

0a65663ec80aa6fb8a4a414c9a94d2d86da085b6

Link:

https://www.unpac.me/results/84c5eab1-1abd-48d0-bce5-7537a390f726/

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/84c5eab1-1abd-48d0-bce5-7537a390f726/

SH256 hash:

9f278aa2f85b03974a640446d0605c39c23cebc0efe78d4dbec3297ac1c2149b

MD5 hash:

856458b3cafb49e15d9d4b7e9763ffd4

SHA1 hash:

3def092eabc842862ca4194d9781fa589df418f7

Detections:

win_agent_tesla_g2

AgentTesla

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/84c5eab1-1abd-48d0-bce5-7537a390f726/

Parent samples :

6c18d7057ece3ae1524782a51f4dfa5589128b5a4c695cf1d3b9f1b95169cc4d
1736cd52fdc1deacedeac1de86d461ceb01c476e307520762b74b67ca8fa4b4b
cc7ca4eb1a90642066ef9697165ceb0a12cb5b8498a198cbed5524cab5974e74
7df1b33f35a3ca87f9242153c847cc0d8e1d45c7e3b5c5ecf9f23bddbf94b052
d71f85d32dd19dd5a0c5ad3b97c3eba3277a5966035970a2c9ea7dd8e23fafa3
372ef724cb2ba60abccfa7f0ac12e571059a3b28620a54a97a163a9b5a7205f8
59eced24086396408057708d32f922904341fca0cbd41884dc8e7359c3f50327
37c09235f5b6487dfc9689210d35b039a3ab2e74426c4284e4c7119269bc9104
a0b93473fe0aa4e5df49542aea136c8b037d85e4bae90eb5f55922e18ce6b804
720264d1cb886a1fa9bb5f807acf3677a82701e8e0fc25e65d03252bb7c8f69f
0ca149e59a526c1811fcac3c14943acdbc43a3261af653670bc9e71436b1fc32
df52744df9ff4bd8dfb0b6e6e86f94d1d885caba0f2deb2f8a429978b475508a
6be1f66c2715c6e4e9e535375607880080dd5a110326e80418d224b129aa50e2
2a64d3212309da646f5ef8210f6b8966c7a63ce82cb5bbd3c03838dd296badcf
4a7ce095400f7f3f613c9ea581084cb7756874d13301030b8955611a408dc312
357f7d8ce29a87629b8d9ab9230362cca864c3bb6a010e783290838d405626cb
f888c4770bbbbcad15c357d6731ff8f5afd7e62e4c35652f3dc3ede6c36b66e9
bbadbf3fdbbf1e1d3b0990bbd18ab566cc3028538d4fab8981d0f8505d44349a
2d09a6edc78299bdcb7c4094e75f30a334fb3cc53aa63529e22862f9f563b32e
e4bc932751053ca7710ced80639899db651a4addacf9c05811c0e8ab1842eb66
81bf08f12cdd41902982c5bfb43b2ebcc327a47e24d8d17a085349081138c1f7
489c3b4e65ec46019d1b57f2485c8862d3904e85994280a41d5271903386f07f
70a576a39497248cdc4e1510b0b210abc5c4fbc702fe00f69d4ed1f6f50ce7f8
ec81c38ff89da4f91aff94a7ae635adef1e8a4eb07f6ee5eb3f1908e33fb1a19
4aa035616ed50d2ca3d86455ef14e5c306d072b3942d25ce570b519b0cb142d6
00d76b06a5f9a7d23c7fc78c9f83b08d84e4a8a84e8da0a852ec0f6c5e65e771
0e4a730c64635bfe562af7d6e8c8fbea0e61a81780c2a3b9b562c550db5017ba
f5cd003d079d427c2ffb80fd91788083b66b624a2ead6ee8a2963a8f93b0707b

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/84c5eab1-1abd-48d0-bce5-7537a390f726/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d09a6edc782/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample