MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad7b9eaa692cbfe6e256b632603baf378c58c06d5f742e55bc9b751b8c022e2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash: ad7b9eaa692cbfe6e256b632603baf378c58c06d5f742e55bc9b751b8c022e2f
SHA3-384 hash: b672c70728d36b1f32bdec5dec1b297d3561f93d4ad7af74a5dcf73386d0e35013afdfd4352c6ad59ece750d76fa2555
SHA1 hash: 2f8901c94deec1f6c7507e64c04ed6bd848c40f2
MD5 hash: a4c4895dd97efc81a44272f9dd1110bb
humanhash: zebra-whiskey-cold-single
File name:ad7b9eaa692cbfe6e256b632603baf378c58c06d5f742e55bc9b751b8c022e2f.xls
Download: download sample
Signature AgentTesla
File size:1'735'168 bytes
First seen:2026-07-01 06:58:48 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-office
ssdeep 49152:qe5dl+VB3cN2aNpjn3YGIT7TIpIfJ27bs:qecoN5Ls97TG0U7bs
TLSH T1A285238076E24F06F13F59B195F3470E123A6E85EE14C79773A8331FA57E9A026A234D
TrID 58.9% (.MSG) Outlook Message (71000/1/4)
34.4% (.OFT) Outlook Form Template (41500/1/1)
6.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter JAMESWT_WT
Tags:AgentTesla Spam-ITA xls

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 97 sections in this file using oledump:

Section IDSection sizeSection name
188 bytesSummaryInformation
2219 bytesMsoDataStore/2FUQQGJM==/Item
3201 bytesMsoDataStore/2FUQQGJM==/Properties
414992 bytesMsoDataStore/GU3UWFJA==/Item
5201 bytesMsoDataStore/GU3UWFJA==/Properties
1832 bytes__nameid_version1.0/__substg1.0_00020102
1980 bytes__nameid_version1.0/__substg1.0_00030102
20372 bytes__nameid_version1.0/__substg1.0_00040102
218 bytes__nameid_version1.0/__substg1.0_10030102
2216 bytes__nameid_version1.0/__substg1.0_10090102
238 bytes__nameid_version1.0/__substg1.0_10120102
248 bytes__nameid_version1.0/__substg1.0_10140102
258 bytes__nameid_version1.0/__substg1.0_10150102
268 bytes__nameid_version1.0/__substg1.0_101B0102
2716 bytes__nameid_version1.0/__substg1.0_101C0102
288 bytes__nameid_version1.0/__substg1.0_101E0102
291232 bytes__properties_version1.0
4116 bytes__substg1.0_001A001F
42178 bytes__substg1.0_0037001F
4324 bytes__substg1.0_003B0102
448 bytes__substg1.0_003D001F
45124 bytes__substg1.0_00410102
4650 bytes__substg1.0_0042001F
478 bytes__substg1.0_0064001F
4836 bytes__substg1.0_0065001F
49170 bytes__substg1.0_0070001F
5022 bytes__substg1.0_00710102
515746 bytes__substg1.0_007D001F
52124 bytes__substg1.0_0C190102
5350 bytes__substg1.0_0C1A001F
5424 bytes__substg1.0_0C1D0102
558 bytes__substg1.0_0C1E001F
5636 bytes__substg1.0_0C1F001F
570 bytes__substg1.0_0E02001F
580 bytes__substg1.0_0E03001F
5932 bytes__substg1.0_0E04001F
60170 bytes__substg1.0_0E1D001F
6116 bytes__substg1.0_0E4B0102
6216 bytes__substg1.0_0E4C0102
6328 bytes__substg1.0_0E580102
6428 bytes__substg1.0_0E590102
652218 bytes__substg1.0_1000001F
666564 bytes__substg1.0_10090102
6724520 bytes__substg1.0_10130102
68114 bytes__substg1.0_1015001F
6992 bytes__substg1.0_1035001F
7016 bytes__substg1.0_300B0102
7170 bytes__substg1.0_3FF8001F
72157 bytes__substg1.0_3FF90102
7370 bytes__substg1.0_3FFA001F
74157 bytes__substg1.0_3FFB0102
754 bytes__substg1.0_4022001F
76256 bytes__substg1.0_4023001F
774 bytes__substg1.0_4024001F
78256 bytes__substg1.0_4025001F
7950 bytes__substg1.0_4030001F
8050 bytes__substg1.0_4031001F
8170 bytes__substg1.0_4038001F
8270 bytes__substg1.0_4039001F
8336 bytes__substg1.0_5D01001F
8436 bytes__substg1.0_5D02001F
8544 bytes__substg1.0_5D0A001F
8644 bytes__substg1.0_5D0B001F
8718 bytes__substg1.0_5D150102
8818 bytes__substg1.0_5D160102
89244 bytes__substg1.0_8001001F
9010 bytes__substg1.0_8002001F
91322 bytes__substg1.0_8003001F
9272 bytes__substg1.0_8004001F
9374 bytes__substg1.0_8005001F
942 bytes__substg1.0_8006001F
9576 bytes__substg1.0_8007001F
9656 bytes__substg1.0_8008001F
97274 bytes__substg1.0_8009001F

Intelligence


File Origin
# of uploads :
1
# of downloads :
178
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
xls
Verdict:
Malicious activity
Analysis date:
2026-07-01 07:00:43 UTC
Tags:
attachments attc-arch arch-scr ip-check evasion stealer exfiltration agenttesla ftp

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Verdict:
Malicious
Score:
81.4%
Tags:
spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug dropper evasive obfuscated packed
Verdict:
Malicious
File Type:
outlook
First seen:
2026-07-01T04:10:00Z UTC
Last seen:
2026-07-01T04:13:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Office Document Outlook Email
Threat name:
Email-MSG.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-30 08:36:44 UTC
File Type:
Email
Extracted files:
106
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla adware collection discovery execution keylogger persistence ransomware spyware stealer trojan
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
outlook_office_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Boot or Logon Autostart Execution: Active Setup
Family: AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:without_attachments
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments