MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 18

Intelligence 18 IOCs YARA 5 File information Comments

SHA256 hash:	cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d
SHA3-384 hash:	c1ef4244c45429ad22a702cdc1a735616c21a5d8e955fd0f3cad9297247501e7880f6fd92b0f2e9d26dca11496559e30
SHA1 hash:	af09ea71e43f11f14960964c1e3f1a6042453e46
MD5 hash:	61f9c775a57a43ff6b858bd6c4c99dea
humanhash:	south-oscar-nineteen-colorado
File name:	หลักฐานการชำระเงิน_shrunk.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'370'624 bytes
First seen:	2025-05-13 20:05:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:hQB3XaoIShwdTey2Y3kvZIb6gWqzxeDXdp:iswaTedYIZrqteDX3
Threatray	3'455 similar samples on MalwareBazaar
TLSH	T1165512182715EA12C5965FB90E32D2F463B84EDCB811E303DEFA7DEFB8363485945682
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

600

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Verdict:

Malicious activity

Analysis date:

2025-05-13 20:22:21 UTC

Tags:

stealer ultravnc rmm-tool telegram exfiltration netreactor ims-api generic agenttesla

Link:

https://app.any.run/tasks/32018f2a-c60e-49ec-8afc-1d6be1efaf25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.37.22667.5810.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6823a72c4a59e5a2ce0455db

Tags:

shell virus lien msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Connection attempt

Sending a custom TCP request

Stealing user critical data

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated overlay overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/6823a6048bd61140fb6eaf02/reports/93109f2f-5dd8-4462-a318-f2402e610486/overview

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/720e5fec-16d0-4efa-a530-41bd05d3f66d

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1689397

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-05-13 19:46:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z5mu2clq22trzabolitbwqoc4l5gr4x7pfmnn5eiok6esvhp2ngq._file

Verdict:

malicious

Label(s):

agenttesla

unc_loader_037

AgentTesla

3cbc56a3a001de05a99530e494b2fa9146d308f15dfc377bbe9dc0279c99b8c5

AgentTesla

413afb58c7726edb41ee39f2f6a151990187b21628a068806226b97455dfa4e6

AgentTesla

80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616

AgentTesla

b46e14c4dca21d96091abaf80ed4b01de6396a421799e63285ad3b530a026638

AgentTesla

error

AgentTesla

+ 3'445 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250513-ytzahszm19/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

AgentTesla

Agenttesla family

Malware Config

C2 Extraction:

https://api.telegram.org/bot7844826162:AAHmkutzU62TUPvnEGO_jSKI8EsX0HUPGsg/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/47ca42db-9762-41e7-851c-338fcb6c872a

Unpacked files

SH256 hash:

cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d

MD5 hash:

61f9c775a57a43ff6b858bd6c4c99dea

SHA1 hash:

af09ea71e43f11f14960964c1e3f1a6042453e46

Link:

https://www.unpac.me/results/1e0b693e-2834-4cf1-a66b-18737337f340/

SH256 hash:

22a03f25544fecf96ca7f38781824e302238529b6e59cc10cfecf240043bd294

MD5 hash:

bee219cadf5a780865c3548d9936bc38

SHA1 hash:

077405987d76832010142540e3f9c5fc1f1c314a

Link:

https://www.unpac.me/results/1e0b693e-2834-4cf1-a66b-18737337f340/

SH256 hash:

14578d45559dd8ea41b597b891f5f7456ac93a4593746d5be0a9ee4fba7ba591

MD5 hash:

cdc10531d2e472f129401adfe36701bb

SHA1 hash:

15a75615eac4a8408bd562d77136933bdde52ef1

Detections:

win_agent_tesla_g2

Agenttesla_type2

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Link:

https://www.unpac.me/results/1e0b693e-2834-4cf1-a66b-18737337f340/

SH256 hash:

87011a1bfe107b9d9743c6961be69bca5fdba0094d145f3017429c6432d4733e

MD5 hash:

2fca2ea99db8c642cea6ec88f839755a

SHA1 hash:

e464f570993c868cddbac6672451074b6ceeb836

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/1e0b693e-2834-4cf1-a66b-18737337f340/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cf594d0970d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample