MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 20

Intelligence 20 IOCs YARA 9 File information Comments

SHA256 hash:	a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
SHA3-384 hash:	b6430f2b07480898289ca889d12420bfa4be00ee16227a80b4673aa4aad4c1f02a5728f44151fb78066b644906952097
SHA1 hash:	e6d89f986087965bb2378b8d70d4c7ca07bc3f2c
MD5 hash:	49269c2c74f14d99fae13730605b23fb
humanhash:	jupiter-violet-wisconsin-red
File name:	ungziped_file
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	673'792 bytes
First seen:	2025-10-28 10:13:51 UTC
Last seen:	2025-11-03 10:27:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:+cVbQF6eS3vObBVtQioBha4vywjMMVruzOaGx:+chQF+ObBVCTLqOMO7a
Threatray	386 similar samples on MalwareBazaar
TLSH	T1F7E412683325D403D5A153B80AF1F27613B86D64DA22E3CA9ED97EDF3AE6F005C10697
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

ungziped_file

Verdict:

Malicious activity

Analysis date:

2025-10-28 10:18:04 UTC

Tags:

stealer ultravnc rmm-tool telegram exfiltration agenttesla ims-api generic

Link:

https://app.any.run/tasks/a9769395-3ec0-4926-acf1-c7b7a98e33d2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTesla

Link:

https://www.capesandbox.com/analysis/34492/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6900987d9942f1282ec99b73

Tags:

lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Changing a file

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/69009a9f3a79800405fa8795/reports/2629b366-89af-4725-903b-255dbeb84fc8/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-27T00:13:00Z UTC

Last seen:

2025-10-30T08:21:00Z UTC

Hits:

~1000

Detections:

Trojan-PSW.MSIL.Agensla.g Trojan.MSIL.Inject.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d HEUR:Trojan-PSW.Win32.Convagent.gen Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Trojan-PSW.Agensla.TCP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Stealer.sb HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Agent.gen Trojan-PSW.TeleBot.TCP.C&C Trojan-PSW.TeleBot.HTTP.C&C HEUR:Trojan-PSW.MSIL.Agensla.a Trojan-PSW.Win32.Disco.sb

Link:

https://opentip.kaspersky.com/a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5/results?tab=lookup

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/57d79494-38ca-4502-8f8c-4269dd437300

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.39 Win 32 Exe x86

Link:

https://app.malva.re/file/49269c2c74f14d99fae13730605b23fb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5/

Verdict:

Malicious

Threat:

Family.AGENTTESLA

Link:

https://tip.neiki.dev/file/a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-10-27 03:07:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uwskkrd3khwustx2vk7egwnt4z2bqvsz6si5yiqc6qec7pzojw2q._file

Verdict:

malicious

Label(s):

xworm

agenttesla

unc_loader_037

unc_loader_001

AgentTesla

8f00c8674d82656d7d6c10bb2d12db37b9b47f7d31aa70a7fa849aa477e6480b

AgentTesla

990cc201ee270b003ed4376fb1493086d88b11d31489d1fa756e03295cb1d1d8

AgentTesla

a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

AgentTesla

b5f632b84f561d8cb108a24a19230d558c578b134845f97132c228fa76197ae5

AgentTesla

cd911ede1b7b20441b5955a511f13d75ba687eee9ae1b2a5d2b960a36f44d76a

AgentTesla

error

AgentTesla

+ 376 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/251028-mgyyfafl8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Agenttesla family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0206245b-f3a0-4c30-8150-59b51a44678f

Unpacked files

SH256 hash:

a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

MD5 hash:

49269c2c74f14d99fae13730605b23fb

SHA1 hash:

e6d89f986087965bb2378b8d70d4c7ca07bc3f2c

Link:

https://www.unpac.me/results/d11ddd80-0aa1-4130-af0e-55d2819e2447/

SH256 hash:

c62382931a7aed1e8de28959172ff3eb26d47c471ba9347c07d7066650857a60

MD5 hash:

71095a501cce13b1c0da801a899c88aa

SHA1 hash:

0970d7d1ae4619b9fdec4fdeeb0f8e4d95eed11c

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d11ddd80-0aa1-4130-af0e-55d2819e2447/

SH256 hash:

3ae55cca8be24635fd077a32192ba5f64c02c800307b62d9cd701e78b6744f63

MD5 hash:

d6840ad923a9207d9b8ebadf85e415aa

SHA1 hash:

193d84e2cabdc5cbdd8dbd95713b85f0e54facbe

Detections:

win_samsam_auto

SUSP_OBF_NET_Reactor_Native_Stub_Jan24

MAL_Malware_Imphash_Mar23_1

MetaStealer_NET_Reactor_packer

MALWARE_Win_RedLine

Link:

https://www.unpac.me/results/d11ddd80-0aa1-4130-af0e-55d2819e2447/

Parent samples :

a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5
265554c3c9bed3daf8d0e8af54e50c35a91aedf15d80b7407bc3b35b65df5b57
e9a609b01e629a8049f1cd23ae0d02e20593cc95e7f80add9d07bb4480318d20
280963f5ae530ba9621935e1c05856483a98efa572fdb4607a1fc5e08d1e949b

SH256 hash:

a94300bda9189abc3b9a26ef91a92d5cb8bf05d0770f6f702f20813a6e3358c1

MD5 hash:

d6455a4f7f7db0c4280ab5ad5bc077e5

SHA1 hash:

493dc4d02ceb374e4b335c1fb74f8ca9dcd370f8

Link:

https://www.unpac.me/results/d11ddd80-0aa1-4130-af0e-55d2819e2447/

SH256 hash:

410e3510a25fcc2ef8743b13950f07fda481824e59632755e53c9fbe5c3e284e

MD5 hash:

03ceb47cc681b9cf8d91c47e6cb6ec3f

SHA1 hash:

5136718b18dcbeb688af803a4f5e2f47cc19fd5d

Detections:

RedLine_Campaign_June2021

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/d11ddd80-0aa1-4130-af0e-55d2819e2447/

Parent samples :

SH256 hash:

c5bcb941dea5084c2bd6367480b26825e71e3c25ebb8bb72ffc82e13df60b4df

MD5 hash:

bec250dd7a877ee2c7bbacf523d3e8da

SHA1 hash:

f20846e9be503768bbe67d1280a939f732b654fa

Detections:

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/d11ddd80-0aa1-4130-af0e-55d2819e2447/

Parent samples :

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a5a4a5447b51/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_RedLine Create hunting rule
Author:	ditekSHen
Description:	Detects RedLine infostealer

Rule name:	MAL_Malware_Imphash_Mar23_1 Create hunting rule
Author:	Arnim Rupp
Description:	Detects malware by known bad imphash or rich_pe_header_hash
Reference:	https://yaraify.abuse.ch/statistics/

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_samsam_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe a5a4a5447b51ed494efaaabe4359b3e674185659f491dc2202f4082fbf2e4db5

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/34492/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample