MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 4 File information Comments

SHA256 hash:	35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8
SHA3-384 hash:	374ca1dc7ee1e37f13f3f463f2c100cc936eec044bd81e8573ca38fcea4772b23ace100d4ead23c9a972a91977ec097d
SHA1 hash:	b9a4487d6028ebc4c8c295cfc8410001087bc5ea
MD5 hash:	1e8fd87bb96ef849e132817a1aad762c
humanhash:	sodium-oxygen-enemy-black
File name:	rnewenq.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	644'608 bytes
First seen:	2025-11-27 09:30:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:wLURA0+hK6MiG4JuC3HifyRapuRpI8FhPDw:VicN+3RCuPLw
TLSH	T180D401982B6CCF23D8A66BF24575E23143B55E9EA462D34A4FDEECCF7511B104A00B93
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	FXOLabs
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

rnewenq.exe

Verdict:

Malicious activity

Analysis date:

2025-11-27 09:32:03 UTC

Tags:

stealer ultravnc rmm-tool exfiltration smtp agenttesla

Link:

https://app.any.run/tasks/1a52731b-7644-473f-a1ef-51086a24ebe4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/41627/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69281a366657e3433281737e

Tags:

shell virus micro lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Sending a custom TCP request

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Changing a file

Stealing user critical data

Adding an exclusion to Microsoft Defender

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-27T03:43:00Z UTC

Last seen:

2025-11-28T05:05:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.MSIL.Agensla.d PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.g Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.MSIL.Crypt.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Taskun.sb

Link:

https://opentip.kaspersky.com/35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/56c6db4e-e2c1-4c6c-8a21-dbd0e1a16f71

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86

Link:

https://app.malva.re/file/1e8fd87bb96ef849e132817a1aad762c

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-11-27 06:59:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 36 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gxcnsp4ufjes35xsy6uqltamaxmnaaj7qnq66bctoywor3luu3ea._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/251127-lgrcxstqaw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7a4730fd-42ca-41a1-9acf-5c63184fbb51

Unpacked files

SH256 hash:

35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8

MD5 hash:

1e8fd87bb96ef849e132817a1aad762c

SHA1 hash:

b9a4487d6028ebc4c8c295cfc8410001087bc5ea

Link:

https://www.unpac.me/results/318f2c36-524c-47eb-a094-e74df8d6e361/

SH256 hash:

3aa8ce5d4766e6fa27c0f3e031c1425b79322fc25ced61c68998ddd0fe84afe0

MD5 hash:

62963935f4f4a7a5d71e15077781146b

SHA1 hash:

374f566ec38e44ea82e0aef8c79417067b37f003

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/318f2c36-524c-47eb-a094-e74df8d6e361/

Parent samples :

5fc5368bad8a8b519f2c392b97c458d9425307b00d52aaadea20eba58e8eeb24
707fdafc56b969ced0f79032c766da29582068ae2630074ec8d41c4d53a73773
ac7a2d43da192df88b772d5f18ad2fbfff501236b4593c0e608474fedde91508
a0f0d732fb63ac2e8801fb5f3a7f969952a7fbdb8b2a782c64cb1c1c14bda72c
4528e9b7d05236ab6a225911e8978af4a7d49bc0221b5529d40ee85b60b0dae7
0be718f7b7a74c02cb6e13cf89c32e36e3385d3c8d6bf11459e8a43afafe4ab4
35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8
93d8f58337eb1309d7fadafe6707dde3a7d20d65870d05a689b3c2f264e61193
74ace00f731591af315dda87a91dcad538db3fab7a62d9e8612eef59dc128bde
e7a7b1d0ebf9cbb2760f3795b42b1b39596ab0eabf1cb12417ba2e8e42494708

SH256 hash:

af96fb8de14bd2add3ae7cc8528834d800284b80e2ca3caca4c632247dc64cda

MD5 hash:

07769cd9d5c5ad717808c162fd8252cd

SHA1 hash:

6dce6d7c11d7f0beb4fca1bf8d5356e8695d3771

Detections:

win_agent_tesla_g2

AgentTesla

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/318f2c36-524c-47eb-a094-e74df8d6e361/

SH256 hash:

fbfff94a9386dd48cb021d8be3b1161834c3f53bb03db57ce69dafd8a4072a05

MD5 hash:

ab2aa61c2ecafce91b4891542dca4258

SHA1 hash:

a443f7ff5f7c0f81d22059cc083b40c393fe9d72

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/318f2c36-524c-47eb-a094-e74df8d6e361/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/35c4d93f942a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 35c4d93f942a492df6f2c7a905cc0c05d8d0013f8361ef0453762ce8ed74a6c8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/41627/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample