MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d
SHA3-384 hash: 09a6d3ded9c1f69d8bfccc234cbbf2d2627cf991e2c6d86c75bcbc8e157ab20f2e4e35cc2e13397877a1c9d3644eec23
SHA1 hash: f347205fa3246c92e69965966d171ae68f42a3e7
MD5 hash: e15b940ed5b909ee26fee16a3cfe8a57
humanhash: wyoming-enemy-nineteen-artist
File name:slyxx.ps1
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'458'356 bytes
First seen:2025-10-21 05:49:20 UTC
Last seen:2025-10-21 10:24:19 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:KvUy4z8ntQK/2tqNhA1MVcrvGfYchfXOn2jIXG/c2G5yf+wcspEFX33kAnYZNos:y4slNVSjnwcD8EyAYos
Threatray 2'103 similar samples on MalwareBazaar
TLSH T1EB652324E9080729973A82F0BC391F156FB65DD600CABB13369B7C9D52DEB7618930AD
Magika powershell
Reporter abuse_ch
Tags:AgentTesla ps1


Avatar
abuse_ch
AgentTesla SMTP exfil server:

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f71efc3edd081eba404474
Tags:
ransomware spawn virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aspnet_compiler base64 evasive krypt lolbin obfuscated reconnaissance
Link:
https://www.filescan.io/uploads/68f71f963a79800405ed95b8/reports/947f9a4a-7bd9-42f1-b8b0-4ea69a441e54/overview
Verdict:
Malicious
Labled as:
PowerShell/Agent.DLH trojan
Link:
https://www.hybrid-analysis.com/sample/2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d
Verdict:
Malicious
File Type:
ps1
First seen:
2025-10-20T11:39:00Z UTC
Last seen:
2025-10-22T03:42:00Z UTC
Hits:
~10
Detections:
Trojan-Spy.Win32.Noon.sb Trojan.Win32.InjectorNetT.s Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798895
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Uncommon Userinit Child Process
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected MSILLoadEncryptedAssembly
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798895 Sample: slyxx.ps1 Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 37 www.symbolx.xyz 2->37 39 www.specialultra.xyz 2->39 41 9 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 57 7 other signatures 2->57 11 powershell.exe 22 2->11         started        signatures3 55 Performs DNS queries to domains with low reputation 39->55 process4 signatures5 67 Writes to foreign memory regions 11->67 69 Sample uses process hollowing technique 11->69 71 Injects a PE file into a foreign processes 11->71 14 aspnet_compiler.exe 11->14         started        17 conhost.exe 11->17         started        19 aspnet_compiler.exe 11->19         started        21 14 other processes 11->21 process6 signatures7 73 Maps a DLL or memory area into another process 14->73 23 rgYHUzM4SlF8vW.exe 14->23 injected process8 process9 25 userinit.exe 13 23->25         started        signatures10 59 Tries to steal Mail credentials (via file / registry access) 25->59 61 Tries to harvest and steal browser information (history, passwords, etc) 25->61 63 Modifies the context of a thread in another process (thread injection) 25->63 65 3 other signatures 25->65 28 TRRaFpCxWTs.exe 25->28 injected 31 chrome.exe 25->31         started        33 firefox.exe 25->33         started        process11 dnsIp12 43 www.simpy.store 103.224.182.242, 49705, 49706, 49707 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 28->43 45 x50002.brwwww.com 192.250.245.162, 49691, 80 CNSV-LLCUS United States 28->45 47 4 other IPs or domains 28->47 35 WerFault.exe 4 31->35         started        process13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Base64 Block Contains Base64 Block PowerShell
Link:
https://app.malva.re/file/e15b940ed5b909ee26fee16a3cfe8a57
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d
Threat name:
Script-PowerShell.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 14:31:12 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3r4lqzs5jqitrxnrncyk4mbv62ody5whoe77un5zcl6usf4zm6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1d83c56880348a5bada3fafcd5b6ec6b0576e3ae898868803f271a577ffaa8f1
AgentTesla
47dd1fc6d808f2e0912cdd4d8a2e0a116830d03f4cebb2b416d4394cf18ecdb5
AgentTesla
5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0
AgentTesla
65a9420eb0bf4f37470b4e8932956df369ce6d75819aac48a7e69ceb308f122c
AgentTesla
77bbedef2cab829cc45157d48f82c6fb6cf2a5e3f191f24d7dc6d6207a9fd0d7
AgentTesla
8c0cd5bdae1355f8bc7f7af9102fb77eb8b52e432cdbe17c27456be4af1082ab
AgentTesla
a4e1ceb8458e0bca4119adb33ded5b1ef154f0ba69594b2079fbbcfb48cbe4ce
AgentTesla
cc65788b0b15cdee3e9c1f9fc6dd4e5ed6d2f7148dee2cf067165fa82d0bda10
AgentTesla
error
AgentTesla
ffc8f79b6654ee83f5afac0fa12a5eeb666dc73b11d05c7fba51e7acab5928de
AgentTesla
+ 2'093 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251021-gkk8vs1qbm/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

PowerShell (PS) ps1 2ee3c5c332ea6089c6ed8b45857181afb4e1e3b63b89ffd1bdc897ea48bccb3d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3682325/
  
Delivery method
Distributed via web download

Comments