MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
SHA3-384 hash: ac6ef8a6450f57c646bef70119163a1c7b215567a0c442825f7e8929175f30a08ab0f145d1e332c1c68a853894152c1a
SHA1 hash: 452b3a3d34e38fa0016236440111a230afc7b94a
MD5 hash: 69d7561675bcbbb116fe1d138b95b0e3
humanhash: single-triple-hotel-uniform
File name:2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
Download: download sample
Signature AgentTesla
Create hunting rule
File size:710'656 bytes
First seen:2025-12-08 14:57:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QSnOJmFDeXOvU2lLggimCSSCDfwBBuVxexlLDDQ+joJnQX/MZvGIEOkJPFn:t9TXLgg9CSSu4BQVk9DQ+joJPZVEOuP
Threatray 417 similar samples on MalwareBazaar
TLSH T179E4125EBE5ABE06CE2D6F77C803588844F18423D430FB6799DA2CD12E59B42C88ED57
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/e12e5213-6c36-4cc0-b0dc-e6b58fe46f96/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
Verdict:
Malicious activity
Analysis date:
2025-12-08 19:22:41 UTC
Tags:
stealer ultravnc rmm-tool exfiltration telegram agenttesla ims-api generic
Link:
https://app.any.run/tasks/4b1f621a-90fe-479c-97b7-d54b922e2b07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43259/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936e7de881313558a2b8984
Tags:
virus shell lien msil
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-14T00:35:00Z UTC
Last seen:
2025-12-10T02:45:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f76d7d93-093a-4ad5-aab9-6351b6f76ac2
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.35 Win 32 Exe x86
Link:
https://app.malva.re/file/69d7561675bcbbb116fe1d138b95b0e3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-11-14 03:40:41 UTC
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7yinqi2yjc4gvrteeersfrfqz3xkfvqywwkamrc6wqscujmjsaq._file
Verdict:
malicious
Label(s):
unc_loader_001
Create hunting rule
agenttesla
Create hunting rule
unc_loader_037
Create hunting rule
xworm
Create hunting rule
Similar samples:
3d60993b1ca1c6786c9c2fe6c6b7c2574fcfa5e28101181f7c29c6c5ddf54c37
AgentTesla
5937ec8f18e55b4cf85388c886992ecf7ada1a3a0ba17688e4fa6ecb2f9f81f6
AgentTesla
a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
AgentTesla
error
AgentTesla
fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
AgentTesla
+ 407 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251208-sccsasdm2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8354849493:AAF-o67GHd1sIu0e-6asIvzWO3nrSq8l0ig/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fce5427e-4620-410e-bbac-f5ff8fad0e6d
Unpacked files
SH256 hash:
83870580f98ed4920c38b5f7666dcda84d7c9fc402d8b1a743d722321996a16d
MD5 hash:
0258ee99a74f22dc1c4e23a68b9830ae
SHA1 hash:
0091e4172706f6416b44fcdad569975d1461034d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/96a6628c-f5c7-4ee6-85b4-db24ff1c8e39/
SH256 hash:
01fdc9f1647dec45f7314824ee67a0066a816f8e09ec06f97a466716545de210
MD5 hash:
9d50f0dbabecc0e8ca34008578342306
SHA1 hash:
3a3116d62066272af40ec3d5b30bdcccca2dd947
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/96a6628c-f5c7-4ee6-85b4-db24ff1c8e39/
Parent samples :
c91267225764229b8a282e938b02a1408997d0d1e5558ca841a009bade568027
2af765eda09831851e8d69b1d4d52ec87429fe40f8d03f533e75464a8caaf60c
59aedd0ba303a510c3278eabc30b79e8ec3268d3e0b7ac28466d7caf5c6863aa
2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
SH256 hash:
f44a97ba959a2f1b2154d69c4d118fd16bc5608f7f1dcf4f36bd44c6543b3b9a
MD5 hash:
64a9dd1563f828735d8bb70617bd4d5a
SHA1 hash:
85cfa4ff543dc85b7c8247876c9a8bee99cd9091
Link:
https://www.unpac.me/results/96a6628c-f5c7-4ee6-85b4-db24ff1c8e39/
SH256 hash:
7029fb7d13e1f7a94901940436515aa9371dc8032030fb591cdea0196dddb594
MD5 hash:
c6cd8b27cd788f20b73102d2e0e965b2
SHA1 hash:
061723038a7cacfcc213b0c76ab5f048364bee50
Detections:
RedLine_Campaign_June2021
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/96a6628c-f5c7-4ee6-85b4-db24ff1c8e39/
Parent samples :
c91267225764229b8a282e938b02a1408997d0d1e5558ca841a009bade568027
2af765eda09831851e8d69b1d4d52ec87429fe40f8d03f533e75464a8caaf60c
59aedd0ba303a510c3278eabc30b79e8ec3268d3e0b7ac28466d7caf5c6863aa
2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
SH256 hash:
8161a21b31a4979d7097316fbbc94585de4fecf9400c76b7e97116e9badf26b3
MD5 hash:
54c14628194fcc928a013c7d0c74637d
SHA1 hash:
99a4030c36eca1b36a701c6d55a7ba03e27c972d
Detections:
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/96a6628c-f5c7-4ee6-85b4-db24ff1c8e39/
Parent samples :
c91267225764229b8a282e938b02a1408997d0d1e5558ca841a009bade568027
2af765eda09831851e8d69b1d4d52ec87429fe40f8d03f533e75464a8caaf60c
59aedd0ba303a510c3278eabc30b79e8ec3268d3e0b7ac28466d7caf5c6863aa
2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
SH256 hash:
2ff086c11ac245c35633210919162586777516b0c5aca03222f5a121512c4c81
MD5 hash:
69d7561675bcbbb116fe1d138b95b0e3
SHA1 hash:
452b3a3d34e38fa0016236440111a230afc7b94a
Link:
https://www.unpac.me/results/96a6628c-f5c7-4ee6-85b4-db24ff1c8e39/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43259/

Comments