MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
SHA3-384 hash: b27a7472b3ad797e13c244e79d048ee9a5b1b8707e1d87a69bd516966623fc6eddad83211a03d0c7d4bf6275f3d8fa01
SHA1 hash: 161cdb67f91f2887eefc6e8b6d7c18b6c31b394a
MD5 hash: 04a8f2ba2cce59f871643b84be5f1358
humanhash: iowa-pip-freddie-pasta
File name:Purchase_Order_P.O_2025052.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'065'472 bytes
First seen:2026-05-20 17:35:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91d07a5e22681e70764519ae943a5883 (144 x Formbook, 35 x AgentTesla, 32 x a310Logger)
ssdeep 24576:utb20pkaCqT5TBWgNQ7aHrdnU7cwPsK6A:bVg5tQ7aHriAwL5
Threatray 2'739 similar samples on MalwareBazaar
TLSH T1FD35BE1273DEC3A4C77251737A6677026FBB782A06A5F85B2FD8093CB920121525FA73
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 22 x AgentTesla, 21 x LummaStealer)
Reporter TomU
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
AgentTesla AutoIt AutoStones
Details
AgentTesla
a c2 communications type, and based upon the c2 communications type: SMTP, HTTP, FTP, TELEGRAM, or DISCORD WEBHOOK parameters
AutoIt
extracted scripts and files
AutoStones
the names of side-loaded components and, if available from processing of a parent file, the deobfuscated components
Link:
https://research.acce.ciphertechsolutions.com/results/94b8da2d-a66a-415a-ac2d-feb923aa1551/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
_407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef.exe
Verdict:
Malicious activity
Analysis date:
2026-05-20 17:42:38 UTC
Tags:
stealer auto-startup ip-check evasion ultravnc rmm-tool agenttesla
Link:
https://app.any.run/tasks/192c887e-c014-490d-a7de-3125df3611f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66834/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0df28d4f2b29ce0401edec
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Reading critical registry keys
Launching a service
Changing a file
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint keylogger masquerade microsoft_visual_cc packed reconnaissance
Link:
https://www.filescan.io/uploads/6a0df45befbd399b39c01679/reports/6e2d32bd-0d9e-4c34-a7e3-309ca8d6a98c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-05-01T21:59:00Z UTC
Last seen:
2026-02-18T08:33:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Inject.sb HEUR:Trojan.Script.AUO.gen PDM:Trojan.Win32.Generic Trojan.Win32.Strab.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ffde8cd-11be-444d-8451-86c439366d8f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-05-02 00:03:37 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ib6lxmbhf2m4dnstmmqdbi47axfb2trsypu54egs4rgjlllvoxxq._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
agenttesla
Create hunting rule
unc_loader_036
Create hunting rule
Similar samples:
3d5c6d39c05f201d05895f0f360cb80e7c1a6aae3e5dd1f6fdf1c4adc2b01971
AgentTesla
c64e2f1cce0e7eb8fbadb10a60844c69bab75dc8260faa5aa3939c1c905bd279
AgentTesla
db20362944b01c8a7e34ab46ed75e9e07fdb02dd2b00033404e9580e0dfa3bcf
AgentTesla
e6c14e992a954123183e8826d8004d890ed4f5f3b9899901a4a9965275424033
AgentTesla
+ 2'729 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/260520-v6kfcaez4l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Drops startup file
Executes dropped EXE
Family: AgentTesla
Unpacked files
SH256 hash:
407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
MD5 hash:
04a8f2ba2cce59f871643b84be5f1358
SHA1 hash:
161cdb67f91f2887eefc6e8b6d7c18b6c31b394a
Link:
https://www.unpac.me/results/584e3609-7b0f-49b2-bbda-af8f5a55ba74/
SH256 hash:
407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
MD5 hash:
04a8f2ba2cce59f871643b84be5f1358
SHA1 hash:
161cdb67f91f2887eefc6e8b6d7c18b6c31b394a
Link:
https://www.unpac.me/results/584e3609-7b0f-49b2-bbda-af8f5a55ba74/
SH256 hash:
29f8b350aeba40cfccf28c23090b8e557b76e619a2471e462d335e4d1a20f5e5
MD5 hash:
b690afa67858fc598edc33b2370ce675
SHA1 hash:
9c3ca1c234d0175e75c6e8c302cab7765a3f5490
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/584e3609-7b0f-49b2-bbda-af8f5a55ba74/
Parent samples :
b512c9be094e9088a86375d9e4742e68d29290186070c814e5551df29d527b87
0eaf1c6a3d5eaad0f721defef200c8b642fbca68860f50d013935f639d1d37f1
726e0819a9c9a1c758f942751eb3094286f92112fb606105f4ee8d6712fae3e2
1c6539b016ce5ffa3325aa1a189c03957fb9ef820199ff0666de22770c595d1a
1f69c661fee755f82f000d42410bfc03fdd652645514cf31af47252e741ed803
947f5c02062aba74146c091a33764bbaf8b4fd6649adff5fc6c646f67b5a3336
f5bd87f4c6708ac85ea0794b5fc10df4f9bf57f0913de3084ba4a1771d37feda
e9d0aa431428a4a7b7d4eb0802a542a861878e653cf0303d2185e728fb2f6051
3ace28860627873118f56c078b0b0f65f8e135aa786ac27aaaf2bd2bc83d87f7
38fc002a41d1595b490e09dc66a52d1d797363d59dc7dff4737332902bfe8975
796648acf363ac16673e391896a32254620b79d3bcd3d37dd90d4164ec137340
24226699f16ebdcae1dcea992c54fa06bb75a867311142e181c9fed75c6aa221
1cc83a1aaefd8f27218234707d6f42d9b8308bebaa2ee66461e90b9d2de82dbe
d80f0d38806ac110447bee1ea5e9d901e600d67fa1ce4b9b123fae841cf5af00
a36a8a84e36b0e121ed1884c94c8b27928c3def918282b6c87d598dddd8f63b5
60ca2d9fc5e1a088f6338456580085ccb67c660f9167ef48a8767adec10133df
db5d6808eb08b5e442b6c6ff6e420bae8efd8dac75a64cf5bddaa3375847eaaa
ea3f8e935a9f94910953b207faadeba9488b49c1b0684b8c848cbebd1fd7590d
407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef
68ad4d6a15483537627c0cb6f931859f9e8167491708e010311eae246df45826
7ba04c7ed3be53eb7b96b8f25dc7fa2323e2f9366580407a2f904776e87ceb82
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 407cbbb0272e99c1b653632030a39f05ca1d4e32c3e9de10d2e44c95ad7575ef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/66834/

Comments