MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 14
| SHA256 hash: | cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c |
|---|---|
| SHA3-384 hash: | c66aec9dc0b45112f9d8fedd768414046a94abc5e0a2a1520e34bbe26847387ec59082757d3347548303f851da936049 |
| SHA1 hash: | 5a52ca5a5fd909c7728a606b4bc5eed430daf074 |
| MD5 hash: | 0691a28be008a82383a8ad8fcffab6e2 |
| humanhash: | edward-music-wyoming-north |
| File name: | cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 686'592 bytes |
| First seen: | 2025-07-07 14:18:50 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'628 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:vez+yE3Vv0MigEzLeGaEqYPhQ6eYQu40dP4GDiXsncboXgYZXCxVbMiNgvmjmry:v13V8HzqkPejEdPT+iwYZSxVb6Py |
| Threatray | 3'415 similar samples on MalwareBazaar |
| TLSH | T18EE412D06294DA23E9F287F01931C5764339AD9D6420C34F5EEEBCEBBD6A74428653C2 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
35
Origin country :
HUVendor Threat Intelligence
Detection:
AgentTesla
Verdict:
Malicious
Score:
99.1%
Tags:
virus spawn lien msil
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.GenericS
Malware family:
Formbook
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Gathering data
Detection:
agenttesla
Threat name:
Win32.Trojan.Snakekeylogger
Status:
Malicious
First seen:
2025-06-19 06:40:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
29 of 38 (76.32%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
unc_loader_037
Similar samples:
+ 3'405 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla discovery execution keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c
MD5 hash:
0691a28be008a82383a8ad8fcffab6e2
SHA1 hash:
5a52ca5a5fd909c7728a606b4bc5eed430daf074
SH256 hash:
c6a9e8939b97df23e9142f26eda39393c3d22062fe70737fa51584700a2ab2fc
MD5 hash:
94fbc81cd5ffc1d77f1e9fecc73d04f4
SHA1 hash:
08f60b5309fdb9180a4e7db0da05e363fc42d132
SH256 hash:
21bf3686fe7f42b757635eb1dc6285423b6f53ddd88fb2fdc4a9d5cadd94c54b
MD5 hash:
8c3f2eb1b58dc9f2ee8d6a6fee96f117
SHA1 hash:
95a8ceb04bd670c5cbd00eebf0a724f873c69fae
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
SUSP_OBF_NET_Reactor_Indicators_Jan24
SH256 hash:
a7745746577828e675df9d9d252a6bfd940e5e415379838e9849d08b7a65cb6b
MD5 hash:
a0b53db27f8345237d9871f110a51104
SHA1 hash:
cd4330e55250289d072fead68b5cdb7c62b7a45e
Detections:
win_agent_tesla_g2
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
MALWARE_Win_AgentTeslaV2
Parent samples :
93c1f391cb06fe4cf2a57dc8236dc9b970d2afc688d5fbbc9abd4dc2ed4c089b
9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
f9510c8431f00936d5ad598f8cb291f8b7c332f3af0fed696a99a1474c0ed706
1ff4344aa791b6f759f9e9d9655c28b468e33fb13017e33f707fc623769cf2ed
fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
6b0cd55a4c6a299025ba02dc9d1962b494401c31d0125651a19c655c7bfc2a8c
e4997c748608a44552daf6262f503b22f5d77e20bb4b411c6342bcf6c1690ff1
be382be770efca98969b48895a2e7c41595a77cd79154a730db6b5ea9f0d2270
240c09f1a97bb6068fbe9c61b6026c0997dc5f2a06ae80e0c15ec691f40f30ee
c37baca5c488614ed44b90ade56d534975201dfa94327ed216b3c87e3ff8cc7a
35f56e6019406ee4247dfaf7a96e210eee795c8b05dc3c3666a2f644a8d4beab
70bb4b9ac0088fce0935763104020af0a92019cb428e3babc917739aec044296
f4cc69d1063ddca10b48ccf8c8c1380585144405f1bf3f938bdf0906d6229020
d0fcc696c691aaa8f1e3af4d7f4fab044704d96cf3f908af6681175715dc62be
c0affc728572d1e897d2869bd72b870bbe6851423e77f4b026306ade7d978e25
9434611a36173f7b73f3e3392e2ae8be5031cfff80ddf9a6638d1ee1aa81d05d
013ac70a93289c1dd9d84ff03a4d4ffc6256f185b098c92ee8dda039201ef8ec
8e44219248894eb248a11f54284a1c9b999ea0177209907f868ab8bc2783b9b7
31a83a4477bc742ccccec7cd1ef6cf0b56fce9735efd420763eb1ac82ed81842
a33c0ffb1a4ff6c80695b6f068d8c9fd434086f091554d75a6d99205c26e805f
bdb7b7cd3368224c457242baf24c2235e60d077f13741363c2307f1fbccfe5ff
a4870649d8987960960d6ce4482ec7ea064c268eac6d85eec8caac07303b61cc
393fecc94068036d3e4515448c33085cc7d8b8374a98b401e37d3ff751be8dd7
4fe3d56a5cb89bdf31145b7ce1c17f22d8d1616dd491fdf1462bf623ca8b3a10
a0f63bbedc34b836ef3e4f2bae53abda8ac334c5541a6d12f5659c2b131db6a7
c3e60b1c3a6a89355139b5213bd09d61dce0505d36e792b972e24b99fbb89850
4cd5676a9e5f1f59e10c246d9a6c674518e66031fea5e17d23318ece2c5e9c67
cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c
efd69a0ac7b81d3d2fe4900b06a98066f2517e0d9364361d396e143d6f90d128
c0676910f1362864201df2da6fc69db6b679c8ba7fc0f66a2dc47c2236142bce
417c165a04979b22d52eeb3fda53a4b6a699f80c3fc89a69fd408ea0fbad16ac
a7a427b9b9f7ce1d847bce150139c546e43f61d49c637ee425d24f52803d47c8
f199e8a011ce9dc5c0e579358241f64e951ea530ff27052ebc41f09f1b6546b1
4c2d6b024e7af04fe1a42d5afad603b085bf37eff5f3a0b9d59a42b3c2828cc9
9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
f9510c8431f00936d5ad598f8cb291f8b7c332f3af0fed696a99a1474c0ed706
1ff4344aa791b6f759f9e9d9655c28b468e33fb13017e33f707fc623769cf2ed
fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
6b0cd55a4c6a299025ba02dc9d1962b494401c31d0125651a19c655c7bfc2a8c
e4997c748608a44552daf6262f503b22f5d77e20bb4b411c6342bcf6c1690ff1
be382be770efca98969b48895a2e7c41595a77cd79154a730db6b5ea9f0d2270
240c09f1a97bb6068fbe9c61b6026c0997dc5f2a06ae80e0c15ec691f40f30ee
c37baca5c488614ed44b90ade56d534975201dfa94327ed216b3c87e3ff8cc7a
35f56e6019406ee4247dfaf7a96e210eee795c8b05dc3c3666a2f644a8d4beab
70bb4b9ac0088fce0935763104020af0a92019cb428e3babc917739aec044296
f4cc69d1063ddca10b48ccf8c8c1380585144405f1bf3f938bdf0906d6229020
d0fcc696c691aaa8f1e3af4d7f4fab044704d96cf3f908af6681175715dc62be
c0affc728572d1e897d2869bd72b870bbe6851423e77f4b026306ade7d978e25
9434611a36173f7b73f3e3392e2ae8be5031cfff80ddf9a6638d1ee1aa81d05d
013ac70a93289c1dd9d84ff03a4d4ffc6256f185b098c92ee8dda039201ef8ec
8e44219248894eb248a11f54284a1c9b999ea0177209907f868ab8bc2783b9b7
31a83a4477bc742ccccec7cd1ef6cf0b56fce9735efd420763eb1ac82ed81842
a33c0ffb1a4ff6c80695b6f068d8c9fd434086f091554d75a6d99205c26e805f
bdb7b7cd3368224c457242baf24c2235e60d077f13741363c2307f1fbccfe5ff
a4870649d8987960960d6ce4482ec7ea064c268eac6d85eec8caac07303b61cc
393fecc94068036d3e4515448c33085cc7d8b8374a98b401e37d3ff751be8dd7
4fe3d56a5cb89bdf31145b7ce1c17f22d8d1616dd491fdf1462bf623ca8b3a10
a0f63bbedc34b836ef3e4f2bae53abda8ac334c5541a6d12f5659c2b131db6a7
c3e60b1c3a6a89355139b5213bd09d61dce0505d36e792b972e24b99fbb89850
4cd5676a9e5f1f59e10c246d9a6c674518e66031fea5e17d23318ece2c5e9c67
cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c
efd69a0ac7b81d3d2fe4900b06a98066f2517e0d9364361d396e143d6f90d128
c0676910f1362864201df2da6fc69db6b679c8ba7fc0f66a2dc47c2236142bce
417c165a04979b22d52eeb3fda53a4b6a699f80c3fc89a69fd408ea0fbad16ac
a7a427b9b9f7ce1d847bce150139c546e43f61d49c637ee425d24f52803d47c8
f199e8a011ce9dc5c0e579358241f64e951ea530ff27052ebc41f09f1b6546b1
4c2d6b024e7af04fe1a42d5afad603b085bf37eff5f3a0b9d59a42b3c2828cc9
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | agentesla |
|---|---|
| Author: | Michelle Khalil |
| Description: | This rule detects unpacked agenttesla malware samples. |
| Rule name: | AgentTeslaV2 |
|---|---|
| Author: | ditekshen |
| Description: | AgenetTesla Type 2 Keylogger payload |
| Rule name: | AgentTeslaV3 |
|---|---|
| Author: | ditekshen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | AgentTeslaV5 |
|---|---|
| Author: | ClaudioWayne |
| Description: | AgentTeslaV5 infostealer payload |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | growtopia |
|---|---|
| Author: | Michelle Khalil |
| Description: | This rule detects unpacked growtopia stealer malware samples. |
| Rule name: | INDICATOR_EXE_Packed_GEN01 |
|---|---|
| Author: | ditekSHen |
| Description: | Detect packed .NET executables. Mostly AgentTeslaV4. |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | malware_Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | MALWARE_Win_AgentTeslaV2 |
|---|---|
| Author: | ditekSHen |
| Description: | AgenetTesla Type 2 Keylogger payload |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | Runtime_Broker_Variant_1 |
|---|---|
| Author: | Sn0wFr0$t |
| Description: | Detecting malicious Runtime Broker |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | Windows_Generic_Threat_779cf969 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_AgentTesla_ebf431a8 |
|---|---|
| Author: | Elastic Security |
| Reference: | https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_TRUST_INFO | Requires Elevated Execution (Unrestricted:true) | high |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.