MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d1bb83fe0bb9688fc181c881a3e5a4cf6ae216941006d2ff52c2f286e27d4e4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 20
| SHA256 hash: | d1bb83fe0bb9688fc181c881a3e5a4cf6ae216941006d2ff52c2f286e27d4e4f |
|---|---|
| SHA3-384 hash: | 048e456c68291a744849062aabc07f30ae2cde122bf66efc514e87d5d0266f23e16c708196f40769d4a08898bcf260f6 |
| SHA1 hash: | e47879912caeb7433db2a7f1b04ec309032e36ee |
| MD5 hash: | 8387de346ee1f8c3e4e10d4b05801c5a |
| humanhash: | fanta-ceiling-delaware-lion |
| File name: | 265653031000053021.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'111'552 bytes |
| First seen: | 2025-09-01 12:41:39 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 1895460fffad9475fda0c84755ecfee1 (305 x Formbook, 52 x AgentTesla, 36 x SnakeKeylogger) |
| ssdeep | 24576:L5EmXFtKaL4/oFe5T9yyXYfP1ijXda/CJW19XOO920IZ:LPVt/LZeJbInQRa/0WaO9 |
| Threatray | 3'511 similar samples on MalwareBazaar |
| TLSH | T13135AE027391D062FFAB92334F56F6115BBC79260123AA2F13981DB9BD701B1563E7A3 |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
99
Origin country :
HUVendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
265653031000053021.exe
Verdict:
Malicious activity
Analysis date:
2025-09-01 12:46:44 UTC
Tags:
stealer evasion agenttesla
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Verdict:
Malicious
Score:
90.2%
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script evasive extrac32 fingerprint keylogger lolbin microsoft_visual_cc packed threat
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-26T07:15:00Z UTC
Last seen:
2025-08-26T07:15:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Agensla.TCP.C&C Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan.Win32.Strab.sb HEUR:Trojan.Script.AUO.gen Trojan-Spy.Stealer.FTP.C&C PDM:Trojan.Win32.Generic Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d Trojan.Win32.Inject.sb NetTool.PlainTextCredentials.FTP.C&C
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Threat name:
Win32.Trojan.AutoitInject
Status:
Malicious
First seen:
2025-08-26 10:32:27 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
29 of 38 (76.32%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 3'501 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
AgentTesla External_IP_Lookup
YARA:
n/a
Unpacked files
SH256 hash:
d1bb83fe0bb9688fc181c881a3e5a4cf6ae216941006d2ff52c2f286e27d4e4f
MD5 hash:
8387de346ee1f8c3e4e10d4b05801c5a
SHA1 hash:
e47879912caeb7433db2a7f1b04ec309032e36ee
SH256 hash:
9872f08e357ee6d38efa8fc86cfd954ab60c22fe48948f095652d80e96d546e3
MD5 hash:
65e06e8ace98a2528217d8fed448bfe3
SHA1 hash:
ea389a6f189f3bfbeb3e67d8f8d406357e5bb5e4
Detections:
win_agent_tesla_g2
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
MALWARE_Win_AgentTeslaV2
Parent samples :
30c105bcf71165d7b56bcd5f1a6a298c6bec6af76fa13119a5a461e0f42c0ccd
a9af9cb400dde90b1d11f0f73ad6e95fd4e3d391efab387e23dc00d3829c8702
763b165e0a3cf3f77490f238dab4d56f49948d56f90968ab68a4e3fd6ff570cb
c00c14734cb297eb4cc8d80b353c7878abeff827085f1df87e5728481389bbb5
d1bb83fe0bb9688fc181c881a3e5a4cf6ae216941006d2ff52c2f286e27d4e4f
429cae8440894efe69a974a1234919e30f83a5dbd5112d64c0785bb7684d1c92
b9abbc5e77702b783d44b3c02321e19ea6fad6ae30bcf89d9f046c2d4bd4248c
4f2dff7120be9e9c3d7a775749c0edea97b3e4bcd9405bdcf3346971026e3eee
1e10bf2f2b39bcb4bfa51b51c28096eb8b839c5a591a7e030bd82743c1d630f0
a9af9cb400dde90b1d11f0f73ad6e95fd4e3d391efab387e23dc00d3829c8702
763b165e0a3cf3f77490f238dab4d56f49948d56f90968ab68a4e3fd6ff570cb
c00c14734cb297eb4cc8d80b353c7878abeff827085f1df87e5728481389bbb5
d1bb83fe0bb9688fc181c881a3e5a4cf6ae216941006d2ff52c2f286e27d4e4f
429cae8440894efe69a974a1234919e30f83a5dbd5112d64c0785bb7684d1c92
b9abbc5e77702b783d44b3c02321e19ea6fad6ae30bcf89d9f046c2d4bd4248c
4f2dff7120be9e9c3d7a775749c0edea97b3e4bcd9405bdcf3346971026e3eee
1e10bf2f2b39bcb4bfa51b51c28096eb8b839c5a591a7e030bd82743c1d630f0
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | agentesla |
|---|---|
| Author: | Michelle Khalil |
| Description: | This rule detects unpacked agenttesla malware samples. |
| Rule name: | AgentTeslaV2 |
|---|---|
| Author: | ditekshen |
| Description: | AgenetTesla Type 2 Keylogger payload |
| Rule name: | AgentTeslaV3 |
|---|---|
| Author: | ditekshen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | AgentTeslaV5 |
|---|---|
| Author: | ClaudioWayne |
| Description: | AgentTeslaV5 infostealer payload |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__RemoteAPI |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_EXE_Packed_GEN01 |
|---|---|
| Author: | ditekSHen |
| Description: | Detect packed .NET executables. Mostly AgentTeslaV4. |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | malware_Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | MALWARE_Win_AgentTeslaV2 |
|---|---|
| Author: | ditekSHen |
| Description: | AgenetTesla Type 2 Keylogger payload |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | Windows_Generic_Threat_779cf969 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_AgentTesla_ebf431a8 |
|---|---|
| Author: | Elastic Security |
| Reference: | https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.