MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
SHA3-384 hash: 922e13038d4a8d1dbf3648b7833e3fdcd99a0e5381b428ef02d41a73f5edd1c0341eed311f863aaf320be17a3fb6b72e
SHA1 hash: 888c2fc2009707de0cf0c84955dfc9bef261e898
MD5 hash: 3fde9821d1c369b26acdfb56ebf343f0
humanhash: fix-football-hamper-diet
File name:a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
Download: download sample
Signature AgentTesla
Create hunting rule
File size:611'328 bytes
First seen:2026-02-05 15:01:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (74 x Formbook, 60 x AgentTesla, 21 x RemcosRAT)
ssdeep 12288:oz7hU5I5yuNHIgzSFKxWltRohBfSTso93UnFVulAyG0Wu/xykdCiQH:of+iN57Gtene3CulAyG8yhiy
Threatray 3'621 similar samples on MalwareBazaar
TLSH T193D42392599059A1C1807331C836CC5199B83D719E46B37F9769FA7ABC703C3EE2368E
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter adrian__luca
Tags:AgentTesla exe UPX
File size (compressed) :611'328 bytes
File size (de-compressed) :1'117'696 bytes
Format:win32/pe
Unpacked file: b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
AutoIt PEPacker
Details
AutoIt
extracted scripts and files
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/6c04ef4c-8b6e-4271-af25-64c5b3700cb8/
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
Verdict:
Malicious activity
Analysis date:
2026-02-05 16:04:49 UTC
Tags:
stealer agenttesla exfiltration ultravnc rmm-tool smtp
Link:
https://app.any.run/tasks/196bc263-7ee2-4583-b3e4-f88406e59a62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51862/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen5.27177.28327.18831.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6984b0e1117f8ed80109c479
Tags:
autoit lien
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-11T20:41:00Z UTC
Last seen:
2026-02-04T20:10:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ec9c57b-6229-4963-ba2e-b260b31b3bc3
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
Verdict:
Malware
YARA:
5 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/3fde9821d1c369b26acdfb56ebf343f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-12 00:56:50 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uidoxmbj7vcconxrp5qncu2sim6ce7jhf65d3nfkveawcdnstb3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
31dd3e8d2700af11c4a5e14defb93a8ef1891f8801d6e8bc5ed35e106a072e64
AgentTesla
39e885110ea41b64da0597e267754cf951b6932d52a956e47d35e3fbcdbf0281
AgentTesla
3b31dfbafa384d76f6de58cee45dcbddb88fbe54f21cc095c75963ef737b449a
AgentTesla
6d9b7e45f0ac13266800021b0ed41d95a69746f2596511680223525bb1fde745
AgentTesla
eb87b3dc43401ecf721197d64f818cd03e9283f04d02eb2ca4680c3356f29fcf
AgentTesla
+ 3'611 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/260205-sd558sgx5d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
AgentTesla
Agenttesla family
Unpacked files
SH256 hash:
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
MD5 hash:
3fde9821d1c369b26acdfb56ebf343f0
SHA1 hash:
888c2fc2009707de0cf0c84955dfc9bef261e898
Link:
https://www.unpac.me/results/a01c334b-0955-47a3-8a9a-4e0ebdc8d939/
SH256 hash:
b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
MD5 hash:
b5ab4bbc257f27987593d558996e7004
SHA1 hash:
b3d5c76d1012bee512810e60f65770f8683d9af3
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/a01c334b-0955-47a3-8a9a-4e0ebdc8d939/
Parent samples :
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
SH256 hash:
af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7
MD5 hash:
71d57788cede0516516dae01575e2331
SHA1 hash:
21306f0870d06c40d568218dc3c9e7023cb4ae03
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/a01c334b-0955-47a3-8a9a-4e0ebdc8d939/
Parent samples :
84948f929bec33d3892956ab4ea6c13d6164f4c6b4511e5e9b6cc62050cb22e3
3d922750a515c0be6575297f8d5275e5ad07faaacbe1753e9b856a6d6619fd66
339a2266533304573cdeb1138bca268419acfdebd5767866df313cb6b078399b
39e885110ea41b64da0597e267754cf951b6932d52a956e47d35e3fbcdbf0281
d599cd22b34287261efa52b26e4ba1e7c94b31e0f06994a68ce60fe8b9cbbeec
8e49bc5255e6e01b5d5fa898271ee60b2616ede84ec2c2f6cec2377b431c0866
e5a760f448682d093b83e5bddf43e59b3310aa2d0a839dcc2b5436ee8b2a6206
75bf9f33aad410dae222ddd9030dea8db2d382dbf167e3cf8dac50d4ff434a3b
76f762eb047d0d10398cbb7ae345988ff147fbf7816f16a328ac909b441df8aa
0a795a84711a3124536313e95c9b23572203c90eac5ea6204295dd3563657848
524caed8da7e4b466a5806d5ad78dc4c586f7a84d4cbed6fed3bf6897ed300a6
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
4ce42f872a55b78f937b36fc38968788eb0db778a8a9e4cd2bef5db79c2b4f2a
149a430a6f9f5316febfc555e4c26b07139dd519a723bd2f11e2edb8f500fae9
f7f4ea9c6e3d1b7bf941588fcaa14a8d18832901dc069f373455715103773cbe
e5133614dc27aed731eafbb37becffb2360df341e8b13123c3ecbadb642f56ae
8ae45c720a8a11d0e93820faaa0269483025b685c4626fb22f39797c70ea0af8
b16ab8dc1f81d06c74e75c73d1083370ac6c473d6030cf266f5c90ccec10acb1
b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
e2efb1ad7ebd15c1f51459d85998d138ef6afa278a1caa04e373127150c4b03c
3a516a97b667b1288c49d68d4a37d06392d58d2e284f255d327f55a62f05e0e9
b889e6d9579f2e4b3ee78ca51f2ced0361b249922f2aba412f6fcc44a954709d
7d8a887d116f563de667cdc00c50702c7312d2fea2c9e6e29827697041c76df6
cd00cfe570484f4e4faca48a3126ba82175f611e36405fbcc426873935de1b0e
0ca4e2896859ee2bbd20d1cb46efc20b0f2c67aa58d7391579660698789aa855
2a4d1110d2c4a719dfc35e7a6542885a442834df4b1a36a8264ac825c121f323
b475c6d5e806b588dee0dc1dccfd3c1acd833c31937c45839c862b059f3d1667
db80e5c7bd595702fd17c1fe6ce3c5ddb6b9bf5260119d2b0d912b5e4f3f1f95
0249b099e5cf161407b30450caa1c6c778180293c336ac5990a7711cb4019ce5
23e95b4bfcb913ff25a67fd4d57e2e84c5b001b9fc6789649df80c289b8efe10
c9c33cd3a5286e3dd64aaa27c2a15805089220e14cf801d2ada4ccd7a1c96de3
4f373533a0324e13b5cd7764cab27bfc7f41d4e86734ea71218fe18a59a4fa7c
49cf6ac94593fa09849a81fc318729e648ac0611e5e7f1306f0cf918c31778f7
07fa3b53b7aaa614ed5e5858502e9aaa58662b16e62b60d77202a7de9ef761f2
2c3e8cb0b8a5d5f24a825d0211132c1878433f8782b5dd59a27d34e5e6c26aa5
a46d2c7d7389353f070eea4c1f5e45030d64d32e555db18f78ef9fd9426b1fcd
0e7748b165d5f1c07358bc019822d04ec982afaaa3041b9eadea63c3e2ed0eee
39bc05d33ed0083431a636ad244599306c83e2ce018bf338c141473f75e8e16e
0a6a06e56f2dbda37023903607bcf61523387a2593d700123f9adfa9a4cb7a40
de5b6490630bc0d27ec89040cfe809ac380e51b63ebd48cb394deded4611c7ee
220b96820a5e01182e733274f7851f094dd516973796fb3445bf7c7eac2f4806
486faeaf4db04e05f86f7edf502e3cda3cde907972ed497d2a14a582bec938aa
c422ca9d2fe7bf77502171842ee2c9115f6223eb34d453b8b224ead3e065e3e9
45e8d77904415b19b872e4ae94e0cc03fa69bdefc547bbbbd1da41282088844a
17406103af81a1e9978c42905c1da9fb3be734fb3bccc1864b60d15a693b205d
cc9abd8914b4e1b8347fbf2d83caa1c2c678103d153b3f382f459126e811478e
6e9d5d9edbcb669ae34a6ef13823a399992bdf4f15c2e8abeadb95fd2a33f7a0
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a206ebb029fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_3
Create hunting rule
Author:Kevin Falcoz
Description:UPX 3.X
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

Executable exe a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877

(this sample)

AgentTesla

Executable exe b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41

Cape
Cape
https://www.capesandbox.com/analysis/51862/
  
Dropping
SHA256 b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
  
Dropping
MD5 b5ab4bbc257f27987593d558996e7004

Comments