MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae
SHA3-384 hash:	bb4d783dff1896f52e0ff072297d4595311031fe880a97b3cf4b928641aaa30fc6b49604fd564c89cb7ceaf26963a0b3
SHA1 hash:	a1494f9d240175f0cadab6bb1e0cc4b97a3b6106
MD5 hash:	7e4a82b07c382d1c2c4fe2b8d99770fa
humanhash:	jupiter-tango-glucose-salami
File name:	Payment.js
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	1'879'310 bytes
First seen:	2026-06-29 11:37:53 UTC
Last seen:	2026-06-29 13:33:06 UTC
File type:	js
MIME type:	text/plain
ssdeep	12288:c/kYXo62lIkakQiKPsEFTekVH1NLwcl+SUUBNzmzc4YeitCFr0Y0UNknr1jaletO:iLO
Threatray	3'550 similar samples on MalwareBazaar
TLSH	T10795192B9EE168BEE1F7C091A8B453C5783BB3B030BD047D98D703598A564891F9A74F
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	txt
Reporter	threatcat_ch
Tags:	AgentTesla js

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

137

Origin country :

CH

Vendor Threat Intelligence

ACCE Unknown

No detections

ClamAV Detected

Detection(s):

SecuriteInfo.com.JS.Obfus-417.UNOFFICIAL

Alert

Create hunting rule

CyberFortress Malicious

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a42593c86bc95245bfa99b9

Tags:

trojan shell lien hype

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

base64 conhost encrypted evasive lolbin masquerade obfuscated powershell repaired wscript zero-day

Link:

https://www.filescan.io/uploads/6a42593806f336ab55203ac1/reports/5742346f-b860-44cb-b816-f9af6c3b1aa3/overview

Hybrid Analysis Generik.JQEGLNQ trojan

Verdict:

Malicious

Labled as:

Generik.JQEGLNQ trojan

Link:

https://www.hybrid-analysis.com/sample/2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae

Kaspersky OpenTIP Malicious

Verdict:

Malicious

File Type:

js

First seen:

2026-06-28T21:43:00Z UTC

Last seen:

2026-06-29T08:34:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae/results?tab=lookup

Joe Sandbox AgentTesla

Result

Threat name:

AgentTesla

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1934894

Signature

Check if machine is in data center or colocation facility

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Found malware configuration

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Powershell scriptblock execution from environment variable

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae

Malva.RE

Gathering data

CERT.PL MWDB agenttesla

Detection:

agenttesla

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae/

Neiki Family.AGENTTESLA

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fz73bupdazn6b4yk2ljtn4a27vyylevs2jet2jqqp35re7kpusxa._file

Threatray agenttesla

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

Similar samples:

013e0807afdbbe14fe30a302620f31147fc03caa771ff9bd7951347acdb5ecb0

AgentTesla

093b27955f0d326ed5ebd547ff0400edcac29446125c691615cb6e353d4a6e34

AgentTesla

145512ad0ee1ebe7ca3e4298be88ffa7cdb984b535128430a65acccc9d19ff14

AgentTesla

1f641beb2d66a3ffb622b07ff14f2d3a6e914545ea3914d89eb666ab5383e529

AgentTesla

8ad65f2edc59082f3b40672a3d89593b415ec64176136c9f6f783adf1e055e31

AgentTesla

d212b7434d098b644d7f233d8aa666baf1444b9505171cecd09ab7b0fe9319e7

AgentTesla

eba13078dea9e803b9120a45cd0dfad589f1defdf0f86fe84ae77fe63fff5300

AgentTesla

error

AgentTesla

f16b1132787a89918e6a41cd23caea200a97b4ceed89eef555f00d43c4ecf808

AgentTesla

+ 3'540 additional samples on MalwareBazaar

Hatching Triage agenttesla

Result

Malware family:

agenttesla

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla adware collection defense_evasion execution keylogger persistence ransomware spyware stealer trojan

Link:

https://tria.ge/reports/260629-nrz4xsdz6q/

Behaviour

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

outlook_office_path

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Enumerates connected drives

Hide Artifacts: Hidden Window

Looks up external IP address via web service

Checks computer location settings

Registers new Windows logon scripts automatically executed at logon.

Badlisted process makes network request

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

Family: AgentTesla

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/2e7fb0d1e3065be0f30ad2d336f01afd718592b2d2493d26107efb127d4fa4ae