MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 17
| SHA256 hash: | b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41 |
|---|---|
| SHA3-384 hash: | 98f54aea39def0c5eff86e778ced3b60695bc1289423571611b72e1e09757ecdf0b29a974ce5a3da6606fd1392c1dc2a |
| SHA1 hash: | b3d5c76d1012bee512810e60f65770f8683d9af3 |
| MD5 hash: | b5ab4bbc257f27987593d558996e7004 |
| humanhash: | shade-double-wisconsin-ohio |
| File name: | a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877 |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'117'696 bytes |
| First seen: | 2026-02-05 15:02:55 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c1ce208b1192bfcf652c179f34f034d3 (32 x AgentTesla, 21 x Formbook, 5 x a310Logger) |
| ssdeep | 24576:J5EmXFtKaL4/oFe5T9yyXYfP1MAXDzhMulAyG8yhiIO:JPVt/LZeJbInGizhjA31 |
| Threatray | 3'617 similar samples on MalwareBazaar |
| TLSH | T17735AE027391C062FFAB91734F5AF6115ABC7A260123E62F13981D79BE701B1563E7A3 |
| TrID | 50.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 19.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.5% (.EXE) Win32 Executable (generic) (4504/4/1) 3.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe upx-dec |
abuse_ch
UPX decompressed file, sourced from SHA256 a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877UPX unpacked
This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.
| File size (compressed) : | 611'328 bytes |
|---|---|
| File size (de-compressed) : | 1'117'696 bytes |
| Format: | win32/pe |
| Packed file: | a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877 |
Intelligence
File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NLVendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Malware family:
agenttesla
ID:
1
File name:
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
Verdict:
Malicious activity
Analysis date:
2026-02-05 15:45:19 UTC
Tags:
exfiltration stealer agenttesla ultravnc rmm-tool smtp
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Verdict:
Malicious
Score:
99.1%
Tags:
autoit emotet
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-11T22:53:00Z UTC
Last seen:
2026-01-11T23:31:00Z UTC
Hits:
~10
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Found API chain indicative of sandbox detection
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Gathering data
Threat name:
Win32.Backdoor.FormBook
Status:
Malicious
First seen:
2026-01-12 03:46:03 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
27 of 38 (71.05%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 3'607 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
AgentTesla
Agenttesla family
Unpacked files
SH256 hash:
b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
MD5 hash:
b5ab4bbc257f27987593d558996e7004
SHA1 hash:
b3d5c76d1012bee512810e60f65770f8683d9af3
Detections:
AutoIT_Compiled
SH256 hash:
af5f53021774cf410f7cc1be223f3dd88e3c6439cfa384bb64ed749c7e5390c7
MD5 hash:
71d57788cede0516516dae01575e2331
SHA1 hash:
21306f0870d06c40d568218dc3c9e7023cb4ae03
Detections:
win_agent_tesla_g2
AgentTesla
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Parent samples :
84948f929bec33d3892956ab4ea6c13d6164f4c6b4511e5e9b6cc62050cb22e3
3d922750a515c0be6575297f8d5275e5ad07faaacbe1753e9b856a6d6619fd66
339a2266533304573cdeb1138bca268419acfdebd5767866df313cb6b078399b
39e885110ea41b64da0597e267754cf951b6932d52a956e47d35e3fbcdbf0281
d599cd22b34287261efa52b26e4ba1e7c94b31e0f06994a68ce60fe8b9cbbeec
8e49bc5255e6e01b5d5fa898271ee60b2616ede84ec2c2f6cec2377b431c0866
e5a760f448682d093b83e5bddf43e59b3310aa2d0a839dcc2b5436ee8b2a6206
75bf9f33aad410dae222ddd9030dea8db2d382dbf167e3cf8dac50d4ff434a3b
76f762eb047d0d10398cbb7ae345988ff147fbf7816f16a328ac909b441df8aa
0a795a84711a3124536313e95c9b23572203c90eac5ea6204295dd3563657848
524caed8da7e4b466a5806d5ad78dc4c586f7a84d4cbed6fed3bf6897ed300a6
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
4ce42f872a55b78f937b36fc38968788eb0db778a8a9e4cd2bef5db79c2b4f2a
149a430a6f9f5316febfc555e4c26b07139dd519a723bd2f11e2edb8f500fae9
f7f4ea9c6e3d1b7bf941588fcaa14a8d18832901dc069f373455715103773cbe
e5133614dc27aed731eafbb37becffb2360df341e8b13123c3ecbadb642f56ae
8ae45c720a8a11d0e93820faaa0269483025b685c4626fb22f39797c70ea0af8
b16ab8dc1f81d06c74e75c73d1083370ac6c473d6030cf266f5c90ccec10acb1
b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
e2efb1ad7ebd15c1f51459d85998d138ef6afa278a1caa04e373127150c4b03c
3a516a97b667b1288c49d68d4a37d06392d58d2e284f255d327f55a62f05e0e9
b889e6d9579f2e4b3ee78ca51f2ced0361b249922f2aba412f6fcc44a954709d
7d8a887d116f563de667cdc00c50702c7312d2fea2c9e6e29827697041c76df6
cd00cfe570484f4e4faca48a3126ba82175f611e36405fbcc426873935de1b0e
0ca4e2896859ee2bbd20d1cb46efc20b0f2c67aa58d7391579660698789aa855
2a4d1110d2c4a719dfc35e7a6542885a442834df4b1a36a8264ac825c121f323
b475c6d5e806b588dee0dc1dccfd3c1acd833c31937c45839c862b059f3d1667
db80e5c7bd595702fd17c1fe6ce3c5ddb6b9bf5260119d2b0d912b5e4f3f1f95
0249b099e5cf161407b30450caa1c6c778180293c336ac5990a7711cb4019ce5
23e95b4bfcb913ff25a67fd4d57e2e84c5b001b9fc6789649df80c289b8efe10
c9c33cd3a5286e3dd64aaa27c2a15805089220e14cf801d2ada4ccd7a1c96de3
4f373533a0324e13b5cd7764cab27bfc7f41d4e86734ea71218fe18a59a4fa7c
49cf6ac94593fa09849a81fc318729e648ac0611e5e7f1306f0cf918c31778f7
07fa3b53b7aaa614ed5e5858502e9aaa58662b16e62b60d77202a7de9ef761f2
2c3e8cb0b8a5d5f24a825d0211132c1878433f8782b5dd59a27d34e5e6c26aa5
a46d2c7d7389353f070eea4c1f5e45030d64d32e555db18f78ef9fd9426b1fcd
0e7748b165d5f1c07358bc019822d04ec982afaaa3041b9eadea63c3e2ed0eee
39bc05d33ed0083431a636ad244599306c83e2ce018bf338c141473f75e8e16e
0a6a06e56f2dbda37023903607bcf61523387a2593d700123f9adfa9a4cb7a40
de5b6490630bc0d27ec89040cfe809ac380e51b63ebd48cb394deded4611c7ee
220b96820a5e01182e733274f7851f094dd516973796fb3445bf7c7eac2f4806
486faeaf4db04e05f86f7edf502e3cda3cde907972ed497d2a14a582bec938aa
c422ca9d2fe7bf77502171842ee2c9115f6223eb34d453b8b224ead3e065e3e9
45e8d77904415b19b872e4ae94e0cc03fa69bdefc547bbbbd1da41282088844a
17406103af81a1e9978c42905c1da9fb3be734fb3bccc1864b60d15a693b205d
cc9abd8914b4e1b8347fbf2d83caa1c2c678103d153b3f382f459126e811478e
6e9d5d9edbcb669ae34a6ef13823a399992bdf4f15c2e8abeadb95fd2a33f7a0
3d922750a515c0be6575297f8d5275e5ad07faaacbe1753e9b856a6d6619fd66
339a2266533304573cdeb1138bca268419acfdebd5767866df313cb6b078399b
39e885110ea41b64da0597e267754cf951b6932d52a956e47d35e3fbcdbf0281
d599cd22b34287261efa52b26e4ba1e7c94b31e0f06994a68ce60fe8b9cbbeec
8e49bc5255e6e01b5d5fa898271ee60b2616ede84ec2c2f6cec2377b431c0866
e5a760f448682d093b83e5bddf43e59b3310aa2d0a839dcc2b5436ee8b2a6206
75bf9f33aad410dae222ddd9030dea8db2d382dbf167e3cf8dac50d4ff434a3b
76f762eb047d0d10398cbb7ae345988ff147fbf7816f16a328ac909b441df8aa
0a795a84711a3124536313e95c9b23572203c90eac5ea6204295dd3563657848
524caed8da7e4b466a5806d5ad78dc4c586f7a84d4cbed6fed3bf6897ed300a6
a206ebb029fd442736f17f60d15352433c227d272fba3db4aaa901610db29877
4ce42f872a55b78f937b36fc38968788eb0db778a8a9e4cd2bef5db79c2b4f2a
149a430a6f9f5316febfc555e4c26b07139dd519a723bd2f11e2edb8f500fae9
f7f4ea9c6e3d1b7bf941588fcaa14a8d18832901dc069f373455715103773cbe
e5133614dc27aed731eafbb37becffb2360df341e8b13123c3ecbadb642f56ae
8ae45c720a8a11d0e93820faaa0269483025b685c4626fb22f39797c70ea0af8
b16ab8dc1f81d06c74e75c73d1083370ac6c473d6030cf266f5c90ccec10acb1
b20c1983024b6fc695fa952f8f938a76b2954bc27ee2519b41a4426c00547c41
e2efb1ad7ebd15c1f51459d85998d138ef6afa278a1caa04e373127150c4b03c
3a516a97b667b1288c49d68d4a37d06392d58d2e284f255d327f55a62f05e0e9
b889e6d9579f2e4b3ee78ca51f2ced0361b249922f2aba412f6fcc44a954709d
7d8a887d116f563de667cdc00c50702c7312d2fea2c9e6e29827697041c76df6
cd00cfe570484f4e4faca48a3126ba82175f611e36405fbcc426873935de1b0e
0ca4e2896859ee2bbd20d1cb46efc20b0f2c67aa58d7391579660698789aa855
2a4d1110d2c4a719dfc35e7a6542885a442834df4b1a36a8264ac825c121f323
b475c6d5e806b588dee0dc1dccfd3c1acd833c31937c45839c862b059f3d1667
db80e5c7bd595702fd17c1fe6ce3c5ddb6b9bf5260119d2b0d912b5e4f3f1f95
0249b099e5cf161407b30450caa1c6c778180293c336ac5990a7711cb4019ce5
23e95b4bfcb913ff25a67fd4d57e2e84c5b001b9fc6789649df80c289b8efe10
c9c33cd3a5286e3dd64aaa27c2a15805089220e14cf801d2ada4ccd7a1c96de3
4f373533a0324e13b5cd7764cab27bfc7f41d4e86734ea71218fe18a59a4fa7c
49cf6ac94593fa09849a81fc318729e648ac0611e5e7f1306f0cf918c31778f7
07fa3b53b7aaa614ed5e5858502e9aaa58662b16e62b60d77202a7de9ef761f2
2c3e8cb0b8a5d5f24a825d0211132c1878433f8782b5dd59a27d34e5e6c26aa5
a46d2c7d7389353f070eea4c1f5e45030d64d32e555db18f78ef9fd9426b1fcd
0e7748b165d5f1c07358bc019822d04ec982afaaa3041b9eadea63c3e2ed0eee
39bc05d33ed0083431a636ad244599306c83e2ce018bf338c141473f75e8e16e
0a6a06e56f2dbda37023903607bcf61523387a2593d700123f9adfa9a4cb7a40
de5b6490630bc0d27ec89040cfe809ac380e51b63ebd48cb394deded4611c7ee
220b96820a5e01182e733274f7851f094dd516973796fb3445bf7c7eac2f4806
486faeaf4db04e05f86f7edf502e3cda3cde907972ed497d2a14a582bec938aa
c422ca9d2fe7bf77502171842ee2c9115f6223eb34d453b8b224ead3e065e3e9
45e8d77904415b19b872e4ae94e0cc03fa69bdefc547bbbbd1da41282088844a
17406103af81a1e9978c42905c1da9fb3be734fb3bccc1864b60d15a693b205d
cc9abd8914b4e1b8347fbf2d83caa1c2c678103d153b3f382f459126e811478e
6e9d5d9edbcb669ae34a6ef13823a399992bdf4f15c2e8abeadb95fd2a33f7a0
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTeslaV3 |
|---|---|
| Author: | ditekshen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | AgentTeslaV5 |
|---|---|
| Author: | ClaudioWayne |
| Description: | AgentTeslaV5 infostealer payload |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_EXE_Packed_GEN01 |
|---|---|
| Author: | ditekSHen |
| Description: | Detect packed .NET executables. Mostly AgentTeslaV4. |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | malware_Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | TH_Generic_MassHunt_Win_Malware_2025_CYFARE |
|---|---|
| Author: | CYFARE |
| Description: | Generic Windows malware mass-hunt rule - 2025 |
| Reference: | https://cyfare.net/ |
| Rule name: | Windows_Generic_Threat_9f4a80b2 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_AgentTesla_ebf431a8 |
|---|---|
| Author: | Elastic Security |
| Reference: | https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.