MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0
SHA3-384 hash: 760d79887b9b069fa91e60ab1238cac3528208d3f86c4e65f181496fe69b90a3ee5354f6057361e0e83ceb2e3bd9cf63
SHA1 hash: 4e42a176d34d26ec1f87f7e662db9912fb6a5393
MD5 hash: c12d600adf341e9413db5751192f70be
humanhash: mountain-beryllium-oregon-moon
File name:001093646673221.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:243'189 bytes
First seen:2025-09-26 11:25:13 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:XveovzZAE1+f8wfKzYEXpcJUAvyO/rR354BUPHp3XJrGJdabYyPpmwcmlpA:GOzSdkcuYE5gv3/NOAHk4Y6mwcmlpA
Threatray 1'533 similar samples on MalwareBazaar
TLSH T1EE34D6D45FBAFB5136892A6A82D584DB7F137315B70DA228295D78C053AE83C39343CE
Magika batch
Reporter lowmal3
Tags:AgentTesla bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
001093646673221.bat
Verdict:
No threats detected
Analysis date:
2025-09-26 11:26:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42be3b86-b992-4141-9145-9d713299d415

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29156/
Detection(s):
SecuriteInfo.com.BAT.Obfus-7.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d67840d42217a4290be38e
Tags:
autorun lien
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/68d6784574e5a28989949f6b/reports/0e35214d-56ed-4c43-912e-2ea6ba062f2a/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-25T06:31:00Z UTC
Last seen:
2025-09-25T06:31:00Z UTC
Hits:
~100
Detections:
Trojan.PowerShell.AmsiBypass.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Agensla.TCP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agensla.sb HEUR:Trojan.BAT.Tesre.gen NetTool.PlainTextCredentials.FTP.C&C
Link:
https://opentip.kaspersky.com/95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0/results?tab=lookup
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1784703
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1784703 Sample: 001093646673221.bat Startdate: 26/09/2025 Architecture: WINDOWS Score: 100 97 ftp.concaribe.com 2->97 99 concaribe.com 2->99 101 api.ipify.org 2->101 107 Suricata IDS alerts for network traffic 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 11 other signatures 2->113 9 cmd.exe 1 2->9         started        12 cmd.exe 2->12         started        14 cmd.exe 1 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 117 Suspicious powershell command line found 9->117 19 cmd.exe 1 9->19         started        21 conhost.exe 9->21         started        23 cmd.exe 12->23         started        25 conhost.exe 12->25         started        27 cmd.exe 1 14->27         started        29 conhost.exe 14->29         started        95 127.0.0.1 unknown unknown 16->95 31 cmd.exe 1 16->31         started        33 cmd.exe 1 16->33         started        35 10 other processes 16->35 signatures6 process7 process8 37 cmd.exe 3 19->37         started        40 cmd.exe 23->40         started        42 cmd.exe 2 27->42         started        44 cmd.exe 2 31->44         started        46 cmd.exe 2 33->46         started        48 cmd.exe 35->48         started        50 cmd.exe 35->50         started        52 cmd.exe 35->52         started        54 cmd.exe 35->54         started        signatures9 115 Suspicious powershell command line found 37->115 56 2 other processes 37->56 61 2 other processes 40->61 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 2 other processes 52->73 75 2 other processes 54->75 process10 dnsIp11 103 concaribe.com 192.185.13.234, 21, 39124, 40860 UNIFIEDLAYER-AS-1US United States 56->103 105 api.ipify.org 104.26.12.205, 443, 49715, 49724 CLOUDFLARENETUS United States 56->105 77 C:\Users\user\AppData\Roaming\...\dc85.bat, ASCII 56->77 dropped 119 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 56->119 121 Drops script or batch files to the startup folder 56->121 123 Found suspicious powershell code related to unpacking or dynamic code loading 56->123 125 Loading BitLocker PowerShell Module 56->125 79 C:\Users\user\AppData\Roaming\...\b735.bat, ASCII 61->79 dropped 127 Tries to harvest and steal ftp login credentials 61->127 129 Tries to harvest and steal browser information (history, passwords, etc) 61->129 81 C:\Users\user\AppData\Roaming\...\23e0.bat, ASCII 63->81 dropped 83 C:\Users\user\AppData\Roaming\...\4143.bat, ASCII 65->83 dropped 85 C:\Users\user\AppData\Roaming\...\e6e5.bat, ASCII 67->85 dropped 87 C:\Users\user\AppData\Roaming\...\f263.bat, ASCII 69->87 dropped 89 C:\Users\user\AppData\Roaming\...\1002.bat, ASCII 71->89 dropped 91 C:\Users\user\AppData\Roaming\...\17be.bat, ASCII 73->91 dropped 93 C:\Users\user\AppData\Roaming\...\658f.bat, ASCII 75->93 dropped 131 Tries to steal Mail credentials (via file / registry access) 75->131 file12 signatures13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0/
Verdict:
Malicious
Threat:
Trojan-PSW.PowerShell.FTP
Link:
https://tip.neiki.dev/file/95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0
Threat name:
Text.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-25 10:22:49 UTC
File Type:
Text
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=su4v24eeazx7qk53jcx2uuki2fznhsyccodxsitca4ahdvixwxya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
044d63ab7ef7390e0db6d6809165edaefc81b164e32ccb8f6bc522a746254f3f
AgentTesla
5496c8de0d154dbedf97dd0b4c5c854f827c2c84a5d1320378506b421d9df90b
AgentTesla
864c37e89869ea3662f720df0acabf8cee0c861b5b908515f805746b432a7260
AgentTesla
8898cadc10c37da4ae4ee2da7b37b5f60fb081918e1d5cf7aedccc3c37a40005
AgentTesla
92cd5b811f58f0fab4637e26b23e09780af5b3ad197c68eb05fdf480706e9e06
AgentTesla
939a66d4d9702e973dfbcf9144290a7a4f708626fe10f5e004c54974a6774c77
AgentTesla
9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af
AgentTesla
b355c43bd26f9727f4a9461afe6ee78995deceb671ebfddc6f7cf895cc663a02
AgentTesla
bc9850a2d113f4653d3e20d7d09054240d88a74a2157fd213a6433a489d9b81d
AgentTesla
dfa331f1fd51ebe6f1d20c667a0bf42c27d634f3d0135aef4ad7c1579d43cdbd
AgentTesla
error
AgentTesla
+ 1'523 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250926-njm5dsxsft/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/95395d708406/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Batch (bat) bat 95395d7084066ff82bbb48afaa5148d172d3cb021387792262070071d517b5f0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29156/

Comments