MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
SHA3-384 hash: bebb23734e484f8c15ccafffeec5715bc2b22b82e445c3ab0e60e96b559856fc7afe7f5ea60fbc9e8f6e6ae0d461f89d
SHA1 hash: 7f4a1a2de229064068cc5faa23b0d022d7b477d1
MD5 hash: 3dbbdd83fbf09f16db5092f4f8730a85
humanhash: triple-december-lion-saturn
File name:d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'316'864 bytes
First seen:2025-04-08 08:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 24576:hSSg4ETdgL8l/4J0pOa/jzVeqUpcIRkf2Y/66/dka2F4TVF:OpdgLy/XnspkJ66/jRh
Threatray 3'051 similar samples on MalwareBazaar
TLSH T1AE55F133BE8A87E1C2845776E4F749104735F996A743D74E3D8A23EA1C13BBA9D4120B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
Verdict:
Malicious activity
Analysis date:
2025-04-08 12:51:36 UTC
Tags:
stealer evasion exfiltration smtp agenttesla ultravnc rmm-tool
Link:
https://app.any.run/tasks/3eda0285-3ee5-4423-8428-5f49c34d0e67

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4dfafa695a0cd1facae6c
Tags:
autorun virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Launching a process
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Sending a custom TCP request
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin net_reactor obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67f4ddec2d430c849e0c7c00/reports/c1a8fc9b-fce6-4e1b-8337-38f27f20ae20/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1129c893-201b-4ed6-9501-cf09eef992f0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659747
Signature
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Found malware configuration
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659747 Sample: JCqehCfNQq.exe Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 27 nffplp.com 2->27 29 ip-api.com 2->29 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 8 JCqehCfNQq.exe 5 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 23 C:\Users\user\AppData\Roaming\HelpLink.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\HelpLink.vbs, ASCII 8->25 dropped 51 Drops VBS files to the startup folder 8->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 14 InstallUtil.exe 15 2 8->14         started        55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->55 18 HelpLink.exe 2 12->18         started        signatures6 process7 dnsIp8 31 ip-api.com 208.95.112.1, 49687, 49689, 80 TUT-ASUS United States 14->31 33 nffplp.com 163.44.198.71, 49688, 49692, 587 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 14->33 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->57 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->61 65 2 other signatures 14->65 63 Multi AV Scanner detection for dropped file 18->63 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->43 45 Tries to steal Mail credentials (via file / registry access) 20->45 47 Tries to harvest and steal ftp login credentials 20->47 49 2 other signatures 20->49
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-03-25 06:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hukd3v3qxlx4zlhmudohklqnnheghclgw63gg3sbjs6lavhs6fa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06664fb0f86485bcac0d663acb92e1966ec35ea9ecf4ae8c9456a7167cf06823
AgentTesla
06ed5e784f0d3b45b55b918cc7cbb8112a451cfd33b8922f737c3def6a27de9b
AgentTesla
1de7aaca4091a07acd43dd4ce545402743cf09a65353ae859a677cde51cbc5ff
AgentTesla
2f1ffb5dca9c01226ba8081747a61288a63f048eda76ce995970568a41a3fbbc
AgentTesla
5fa4351db218f6ad40cfeaa345e2dc78b390c399e0ed19b4e2fada3d926ca17f
AgentTesla
74a794e49ad3d2118eb14395b7fead75084e0a91ea6cfabde8fd684c0f1f8344
AgentTesla
ad269d354d181fb136d667589d1df4f9402585070c6385afad354fcb204bbabe
AgentTesla
f3ff932bd931ee266567cd0422a067fd38281164c534026b57d740658aa056c3
AgentTesla
+ 3'041 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250408-kb39vs1zh1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
AgentTesla
Agenttesla family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/700e0c99-139a-4b47-9907-ddc2ceb68906
Unpacked files
SH256 hash:
d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
MD5 hash:
3dbbdd83fbf09f16db5092f4f8730a85
SHA1 hash:
7f4a1a2de229064068cc5faa23b0d022d7b477d1
Link:
https://www.unpac.me/results/f4a0fe24-9e56-4f8e-a559-49b07a8c3425/
SH256 hash:
ebca84910ae41574c5b75d44ad074df89c0620307af4b7f9784356c57a41687b
MD5 hash:
ea4146b2353811506f2b678651d5054e
SHA1 hash:
22a1cec26f62e8a3ded413d51a8ab2cddf89d595
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/f4a0fe24-9e56-4f8e-a559-49b07a8c3425/
SH256 hash:
ed5b4dcee61cf48c7b899ff2c9025326a8cfd425a1eed883a40115c2a4e20a81
MD5 hash:
254a2cdabafeaa83e7c81234ba1d4d8b
SHA1 hash:
38093e2f0081f30b493f851b5490d1b02d1ed2b9
Link:
https://www.unpac.me/results/f4a0fe24-9e56-4f8e-a559-49b07a8c3425/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/f4a0fe24-9e56-4f8e-a559-49b07a8c3425/
SH256 hash:
3b23dbc0ffe3b17b88f560c2b93eb64af9e94beb88d123a4c811a427584f09bf
MD5 hash:
dd3ba42fc1cf8e969e342d918a7b6ae6
SHA1 hash:
4216ef47c65f7bbb54fd095c5bf2e321cddd69db
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Agenttesla_type2
Create hunting rule
Link:
https://www.unpac.me/results/f4a0fe24-9e56-4f8e-a559-49b07a8c3425/
Parent samples :
ce00b5a69092cf4b2a6f8c20e8f3cd5b8d1dfa27d946d9dca29413627a4ddfef
333394a3257c26759974c7bface3281c75d064e3c6c3f37479752bae52b364ea
45d0c2ec2ede02e8b8ef535346a4e7e06fd52ba27995a15a5f1a0b11e305d4f7
fdf11dc1585e1062c299ee652e789da5091b836f2fc999c99f0e6833e9d0db6b
ad269d354d181fb136d667589d1df4f9402585070c6385afad354fcb204bbabe
7a4a48270e007cfe195b3cbd18e16c77bac607a6f6c28ad76b6ea7b6aa28750b
19e7128bade3246917b6367e9ffb3dc01d8674cddabbf7db9a591eaf9e5314c2
eca76bae7cf6ffdfef6269b5eae8bca702663e3c2b7f7aca6b9d4d194276acca
d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a
52ac94d05d81c00faa5ffb989ba1b631b88790deb41f8f982c120fba5754f4d3
f39e7dee71963b9a93fd15a46e577d7e706497278ef181e9f38e05c1afbbd675
0498395cee5c766f2150c83a45216291a25fefa434e9bf7b6c27b8d599c037b5
a5a6f09dbfef79a19d216620a173e636ad05e97f28a90bd4a08f12cc0254d24b
4dd4dc6e537cd6431e9f5b84a99a81349e2aa2816dc2c95db9590ee958acd05d
2eda62b3947c01aa4e3808dcf284d59a0e5abfc281c210fd2734d0f84add64c3
30b5f7fd7e023b58cd879c16245c73c5e2e1076592afe8b74883ee066380ef8f
cf7fea1731369668f0a4c8ae3ef053f579ddad7db6187f468193f22ea9b02006
24483f7376aee0f64971caf390c1eed4a6cc56d76e15c1f4b22e7626bf8e076c
214f81361ecc2893d57465ef2c57662f7d60b2ea06408d6a40d6982f0c484e40
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/f4a0fe24-9e56-4f8e-a559-49b07a8c3425/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1e8a1eebb85/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1e8a1eebb85d77e65676506e3a9706b4e431c4b35bdb31b720a65e582a7978a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments