MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
SHA3-384 hash: 2e406a056f2d6240fecebfdbfd7f43c3d39b9f2a3cef9345fbb2e5aaca67bf4fb6314c01429933d713c499f6c5135136
SHA1 hash: d664a969415b2e6991c58b1412559c5bd7da3960
MD5 hash: 253078a33181034260d5484bcba6a6a1
humanhash: mexico-five-saturn-moon
File name:z36FACTURA-09876567890987645678.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'593'344 bytes
First seen:2025-10-14 16:00:12 UTC
Last seen:2025-10-14 21:26:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b40609de886ef72ceb73cff55949ffee (3 x a310Logger, 2 x DBatLoader, 1 x AgentTesla)
ssdeep 24576:VfDh9RTCMxKy+9CunRyQ8UY7NG3I1GN9QeJqb70Y7AGOYy:VF7TtEp8UY743SQmwMQf5t
Threatray 78 similar samples on MalwareBazaar
TLSH T14375D012F282857BD026167E4C2BEBD6691CBB612F24B85E7BED1E0C7F3D5C27416092
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter FXOLabs
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
_a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9.exe
Verdict:
Malicious activity
Analysis date:
2025-10-14 16:38:22 UTC
Tags:
delphi auto-sch evasion stealer ultravnc rmm-tool agenttesla
Link:
https://app.any.run/tasks/dfc907b1-112f-4af2-8938-102ca172baaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32767/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee73d504e22ce9acda0fcb
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Moving of the original file
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint keylogger masquerade overlay packed zero
Link:
https://www.filescan.io/uploads/68ee73de71883144ef36b394/reports/90abfb48-294c-47a4-ba3e-5222e56ee528/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T12:05:00Z UTC
Last seen:
2025-10-14T12:49:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42faa762-3b5b-49ee-856d-6b4c71c4db51
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/253078a33181034260d5484bcba6a6a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 16:02:01 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucpdlibhxvt55al5xe3xksm7syo44lfym522mm6yyn6dn4eddcuq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
29c0926ce65fb1f21dbf99788c837a9d281dbf14ce231c6c48cd97048bbc0278
AgentTesla
68e4f5fa48a43147614b9ded12822c3342d43c67acc20dda2b65e45bf2547af6
AgentTesla
8c559eb37c00fb47e505e162749b8ae9d7f8e235da0454d43b8b0841ac492639
AgentTesla
a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
AgentTesla
d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313
AgentTesla
error
AgentTesla
f8d8e8cefdddc14bd1efd94853b1259109f35811f51082dfd33cb275f87ddb23
AgentTesla
fd071bfd6b5be81edd4364bb3e7a149060b2a11bb5f75fcc2b4bf8d57ef3a711
AgentTesla
+ 68 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence trojan
Link:
https://tria.ge/reports/251014-tgl27scj3x/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Looks up external IP address via web service
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a7d6792f-ba03-4124-a859-5c58e85d1f56
Unpacked files
SH256 hash:
a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
MD5 hash:
253078a33181034260d5484bcba6a6a1
SHA1 hash:
d664a969415b2e6991c58b1412559c5bd7da3960
Link:
https://www.unpac.me/results/63870a51-5e4f-4091-b1d1-2e46ec2f58dd/
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/63870a51-5e4f-4091-b1d1-2e46ec2f58dd/
SH256 hash:
3e9fedb9328eb488c37b1c4e80a7fe38e93ceb26a345a22c3f0bdd33dab658ff
MD5 hash:
8be2550629388c6ff99b18e2ca6a4c40
SHA1 hash:
f558f5dbb846720fb32376453739670e8498f099
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/63870a51-5e4f-4091-b1d1-2e46ec2f58dd/
Parent samples :
f8d8e8cefdddc14bd1efd94853b1259109f35811f51082dfd33cb275f87ddb23
14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab
a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
24797e25716cbf6769a7437f693e9570e8cabfad8fcbe1c54b46b3c638cc6fd6
abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532
a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a09e35a027bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32767/

Comments