MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 5 File information Comments

SHA256 hash:	8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7
SHA3-384 hash:	db7e7a5fe51f02c2235b9bda5fde284066c2645fae4cfc8635ee604c793af2a9402af8c2b0505def0e92face4210cdaa
SHA1 hash:	f07e18e82e6732f0500ab388e049c5a4aae42878
MD5 hash:	5f82978326d7d0f87304b1d08a21d7b8
humanhash:	magnesium-enemy-march-don
File name:	purchase order number 4500569910.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'842'688 bytes
First seen:	2025-08-29 07:23:06 UTC
Last seen:	2025-09-05 13:35:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	489167944236d6a9867bd23fe0d07d1f (1 x AgentTesla)
ssdeep	24576:XUJFs+UhNHsDdZx7zxEpHA838dSDoQg1fNylyKmw1YzXAkxbeRSNBVHJX:XUg+iOxJdHyHYbASbeRSNn5
TLSH	T1D385BF559590C031D0A2753478A6F2CD4839BBF16D3468063FAE4B1EEFB9F5039292AF
TrID	65.0% (.EXE) InstallShield setup (43053/19/16) 15.8% (.EXE) Win64 Executable (generic) (10522/11/4) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1) 3.1% (.EXE) Win16/32 Executable Delphi generic (2072/23) 3.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

purchase order number 4500569910.exe

Verdict:

Malicious activity

Analysis date:

2025-08-29 07:26:36 UTC

Tags:

delphi dbatloader loader auto-sch stealer evasion ultravnc rmm-tool exfiltration smtp agenttesla netreactor

Link:

https://app.any.run/tasks/f784174b-5d24-4387-8880-22c66206799f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/24097/

Detection(s):

Win.Trojan.Delf-9848496-0

Win.Trojan.Modiloader-10042434-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b15578eb163e0ec18305f2

Tags:

autorun delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Moving of the original file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi fingerprint formbook keylogger masquerade modiloader overlay overlay packed remcos unsafe zero

Link:

https://www.filescan.io/uploads/68b155722eee5ca64cac7f4d/reports/6cf0e488-2f8f-454c-96c1-c3d2757b727d/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-28T02:59:00Z UTC

Last seen:

2025-08-28T02:59:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7/results?tab=lookup

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8152fe85-b371-40e3-8213-ea7f5013e33f

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-08-28 05:58:46 UTC

File Type:

PE (Exe)

Extracted files:

124

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qutoh7wvkxvfji3475viohqr7ulu2jzvlwo5vulrrcj6tsrstdlq._file

Verdict:

malicious

Label(s):

agenttesla

dbatloader

unc_loader_001

Similar samples:

error

AgentTesla

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery execution persistence spyware stealer trojan

Link:

https://tria.ge/reports/250829-h738matl15/

Behaviour

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Looks up external IP address via web service

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Verdict:

Malicious

Tags:

Win.Trojan.Delf-9848496-0

YARA:

n/a

Link:

https://app.threat.zone/submission/8d89de9b-f42e-49e1-a828-3e852ba01d61

Unpacked files

SH256 hash:

8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7

MD5 hash:

5f82978326d7d0f87304b1d08a21d7b8

SHA1 hash:

f07e18e82e6732f0500ab388e049c5a4aae42878

Link:

https://www.unpac.me/results/0fcec8a5-1e28-4e7e-ad6a-8ed6264f5b02/

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8526e3fed555/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8526e3fed555ea54a37cff6a871e11fd174d27355d9ddad1718893e9ca3298d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/24097/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample