MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273
SHA3-384 hash:	c180a7182ea6a72e4890c56681a81af0c6ab78a084063e1e46ac9cea7848a58f95ea91c2a4df741fdd69f4f2e5809ae1
SHA1 hash:	e9d8186378e11d7d0b36004a63ea18fddd9a2c60
MD5 hash:	5b25e9760857562e29e323a414cac5a4
humanhash:	high-fifteen-missouri-fruit
File name:	a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'905'691 bytes
First seen:	2025-11-06 10:46:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep	24576:K5xolYQY6c4aAGEc6iG+Vr4cQwheInXzYQRSv3jxeP1kzltpgoI3luO5JPPnsb:dY2dL0zXRg3jxetk5t653AkJnnsb
Threatray	158 similar samples on MalwareBazaar
TLSH	T18595CF25A2C0453ED22255B5CC2BD7C6A8197E212B147A5F77DDDB483BF92833C3621B
TrID	58.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 22.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.4% (.EXE) Win64 Executable (generic) (10522/11/4) 3.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

_a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273.exe

Verdict:

Malicious activity

Analysis date:

2025-11-06 11:06:44 UTC

Tags:

delphi auto-sch stealer evasion ultravnc rmm-tool agenttesla

Link:

https://app.any.run/tasks/482e5569-01d3-4c3e-a859-6a00cfb9ec60

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35882/

Detection(s):

Win.Malware.Swisyn-7610494-0

Win.Virus.Sality-6335700-2

Win.Malware.Swisyn-9942393-0

Win.Trojan.VBGeneric-6735885-0

Win.Virus.Sality-6747602-0

Win.Trojan.Kazy-304

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690c7c9e5a5ed7864e23751e

Tags:

swisyn emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Setting a keyboard event handler

Setting a global event handler

Creating a file in the %AppData% directory

Sending a custom TCP request

Moving a recently created file

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Setting a single autorun event

Launching the process to create tasks for the scheduler

Enabling autorun

Enabling a "Do not show hidden files" option

Unauthorized injection to a system process

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Swisyn

Link:

https://www.hybrid-analysis.com/sample/a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-16T03:33:00Z UTC

Last seen:

2025-11-08T00:11:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.Reconyc.hvob Trojan.Win32.Picsys.a Trojan.Win32.Agent.ugku Trojan-Dropper.Win32.Injector.sb Trojan-Dropper.Win32.Daws.sb Trojan.Win32.Shellcode.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.Win32.DelfInject.gen HEUR:Trojan.Win32.Convagent.gen Trojan.Win32.Reconyc.jmne Trojan.Win32.Picsys.b Trojan-Dropper.Win32.Dapato.sb PDM:Trojan.Win32.ScreenLocker.gen Trojan-Dropper.Win32.Agent.sb Trojan.Win32.Swisyn.bner Trojan.Win32.Agent.sb Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Agensla.TCP.C&C PDM:Trojan.Win32.Generic Trojan.Win32.Reconyc.sb Trojan.Win32.Reconyc.jlkg

Link:

https://opentip.kaspersky.com/a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273/results?tab=lookup

Malware family:

MOFKSYS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d7c91839-5075-4989-bd12-8c418a2a18ca

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86

Link:

https://app.malva.re/file/5b25e9760857562e29e323a414cac5a4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

Threat name:

Win32.Trojan.Golsys

Status:

Malicious

First seen:

2025-10-17 13:22:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvshdkfopys3aekglg2yo4mdruhr3pvu4hyokywmkaqcg4x5gjzq._file

Verdict:

malicious

Label(s):

donutloader

dbatloader

mofksys

AgentTesla

295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

AgentTesla

2c34ff6ec34bb71edb9e73f29af4cbfc610da2c99e18b7f3c85535c097b1a87c

AgentTesla

46530747184b4d0d42eddf1685cc683368d6296453b4dfd0b812f4b852b7f71c

AgentTesla

68a48b85b26a63d37b965a012cf555112b2eab5ffab0833356e9f23902d9a7fb

AgentTesla

7fa7977427298708c795293c12fefc41483e4f37485685549130b4ad1bdac554

AgentTesla

a433c4a4a88ea7ade87bf36dd4ef522a8c6f13619f2ebf2bedbec029d59bb134

AgentTesla

d4409a190a74dd98d16c9818b60040256a024733be1e9f151dd46e3c4243abcb

AgentTesla

db0a172d5bcd62c6e1d71ba5799772f35f10b18fc0fdefccbc8eabae1272309a

AgentTesla

eb825b11d00bc3ec41e7856a59ebe1027e3f9c9128a177e182f688535f22bfb6

AgentTesla

+ 148 additional samples on MalwareBazaar

Result

Malware family:

mofksys

Score:

10/10

Tags:

family:modiloader family:mofksys defense_evasion discovery execution persistence trojan worm

Link:

https://tria.ge/reports/251106-mvpa6afv9d/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Adds Run key to start application

Looks up external IP address via web service

Executes dropped EXE

Boot or Logon Autostart Execution: Active Setup

ModiLoader Second Stage

Detects Mofksys worm

ModiLoader, DBatLoader

Modifies WinLogon for persistence

Modifies visibility of hidden/system files in Explorer

Modiloader family

Mofksys

Mofksys family

Verdict:

Malicious

Tags:

trojan Win.Malware.Swisyn-7610494-0

YARA:

Windows_Generic_Threat_2bb7fbe3

Link:

https://app.threat.zone/submission/993caef0-bd40-48d0-a4b2-1efcfbc41dce

Unpacked files

SH256 hash:

a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

MD5 hash:

5b25e9760857562e29e323a414cac5a4

SHA1 hash:

e9d8186378e11d7d0b36004a63ea18fddd9a2c60

Link:

https://www.unpac.me/results/b0e04b91-ae79-4bc4-91dd-d3c79803e154/

SH256 hash:

70698fb78e8c8f59095661514d33156483d20745ccd499f71b5cefd57d0d7137

MD5 hash:

d7fb0c9c3795025ffad4c94d96c23b68

SHA1 hash:

27822d5598d0fe8bd68401d1c06ab6a6b1aec70e

Link:

https://www.unpac.me/results/b0e04b91-ae79-4bc4-91dd-d3c79803e154/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/b0e04b91-ae79-4bc4-91dd-d3c79803e154/

SH256 hash:

3e9fedb9328eb488c37b1c4e80a7fe38e93ceb26a345a22c3f0bdd33dab658ff

MD5 hash:

8be2550629388c6ff99b18e2ca6a4c40

SHA1 hash:

f558f5dbb846720fb32376453739670e8498f099

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/b0e04b91-ae79-4bc4-91dd-d3c79803e154/

Parent samples :

f8d8e8cefdddc14bd1efd94853b1259109f35811f51082dfd33cb275f87ddb23
14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab
a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
24797e25716cbf6769a7437f693e9570e8cabfad8fcbe1c54b46b3c638cc6fd6
abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532
a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a56471a8ae7e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_Imphash_Mar23_2 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:	Internal Research

Rule name:	Windows_Generic_Threat_2bb7fbe3 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35882/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample