MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514
SHA3-384 hash: aaa0215baa3acc04f4246010b4765d359716ca6f2aa7fa57be5c915d074728271eca581c9587af80de8c00c917526999
SHA1 hash: 58fb867d4d325075fbc5e5ff7b2e02fd97e8b7f8
MD5 hash: eaf95dd93131477697c0e49ba5c23a69
humanhash: carbon-sierra-juliet-quebec
File name:copia del pago anticipado.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'108'480 bytes
First seen:2026-06-01 20:52:21 UTC
Last seen:2026-06-02 07:05:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'011 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 24576:87lD3j4+ugZU/FHGtYINStGFt2CHEQCvoGF+YV:8pduWU/hGtNNStGF0CHOvvF+
Threatray 40 similar samples on MalwareBazaar
TLSH T14035DF226E832F68FA391F3C800214686BF4D8525226E75FBFFC91A51EA7F45CD27605
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
153
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/4400bb5b-44f9-4dba-ba29-ca20a2ffe057/
Malware family:
n/a
ID:
1
File name:
_9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514.exe
Verdict:
Malicious activity
Analysis date:
2026-06-01 20:54:28 UTC
Tags:
netreactor stealer ultravnc rmm-tool
Link:
https://app.any.run/tasks/2db7a444-b0b8-47f7-a59d-c9ba37388b08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68735/
Detection(s):
Win.Packed.Malwarex-10059342-0
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1df13d5a2e3b5e58e519cd
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/6a1df13b46e44aecc0c8e32a/reports/19923d7b-7246-488d-9818-8efe03e121b3/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d HEUR:Backdoor.MSIL.XWorm.gen Trojan-PSW.MSIL.Agensla.g HEUR:Trojan-Spy.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2f34a76-f734-4802-aa38-9277ba03eb68
Result
Threat name:
AgentTesla, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1921351
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514
Gathering data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-01 20:53:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqa47w7dkyyrfhtv45swkkknvxed2ite6o4xt3a27iwq2dvkyuka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d83c628410771e9c37d16b83b3fca649732b5d7fc756939af9974a285c62f59
AgentTesla
4e3a83b32bfb612a260f56d721464ef4aec86c8ea76495a2ff0bef8c1338837d
AgentTesla
6bba90e398a1387232b43fe32f6cd8cdb0c2514524ea03939456fdfb1ef1790c
AgentTesla
bcb909b14cbc4682da59cf508d80cb17117091d445d2426ee17f6c8b501600f7
AgentTesla
error
AgentTesla
+ 30 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/260601-zpd98agv2q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
.NET Reactor proctector
Family: AgentTesla
Unpacked files
SH256 hash:
9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514
MD5 hash:
eaf95dd93131477697c0e49ba5c23a69
SHA1 hash:
58fb867d4d325075fbc5e5ff7b2e02fd97e8b7f8
Link:
https://www.unpac.me/results/9b423276-8bd8-4d94-b4f0-0de92b4fac3e/
SH256 hash:
ac400b0769b063f91614a07bc119bc5b44e5237064870728b449036dcc4b67e1
MD5 hash:
85908e3e3270b1cc66d4350a44411d31
SHA1 hash:
46ee969e0851ba17e735345aefcdc0816f2b7c57
Link:
https://www.unpac.me/results/9b423276-8bd8-4d94-b4f0-0de92b4fac3e/
SH256 hash:
c1248ff22f0e4aeab9c4259b8eec3eecd138dc05b1215c8ac210a2b4a9a5c0e2
MD5 hash:
8a84553d4cc547545f5b816ee1954367
SHA1 hash:
5bbf5464102793efa1d7c0f476460041166d0e64
Link:
https://www.unpac.me/results/9b423276-8bd8-4d94-b4f0-0de92b4fac3e/
SH256 hash:
11d0caac741831b70beecd1b70c5bd6018a67c564af9ec9834a1b3747e340d67
MD5 hash:
4fc1f0db3bba3fa184a5ce5d14802d01
SHA1 hash:
af72f3d073f28387669837b0f64034d61000aabf
Link:
https://www.unpac.me/results/9b423276-8bd8-4d94-b4f0-0de92b4fac3e/
SH256 hash:
79d4000aac604c62607e326148a644258e46c168675ee982651517bec9bbdb69
MD5 hash:
c3042b407753183e49d93957755edfa5
SHA1 hash:
fed1018c06368f903e0ed496d719a69e225c71a0
Detections:
win_agent_tesla_g2
Create hunting rule
triage_agenttesla_infostealer
Create hunting rule
Link:
https://www.unpac.me/results/9b423276-8bd8-4d94-b4f0-0de92b4fac3e/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c01cfdbe356/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9c01cfdbe35631129e75e76565294dadc83d2264f3b979ec1afa2d0d0eaac514

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68735/

Comments