MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 d5a65d6dc53a44eef295d2f9908bd7bde73e2457dda3347206d42e7c52ed5a43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 21
| SHA256 hash: | d5a65d6dc53a44eef295d2f9908bd7bde73e2457dda3347206d42e7c52ed5a43 |
|---|---|
| SHA3-384 hash: | 1407cdde99a2339745d9dfb9a596cfc020980fa2a579d42e74e41eef4f37cbe1f6d80af015b09d4a9f9a7a950798f976 |
| SHA1 hash: | 16ae4abe5fe7de2b6bb5f5f9b0c5ca8b0ec21cfa |
| MD5 hash: | 1cda8620389ee4a4b2994ad9e98d1042 |
| humanhash: | black-eleven-montana-chicken |
| File name: | z41factura-9876.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'086'976 bytes |
| First seen: | 2025-12-04 14:00:54 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | c1ce208b1192bfcf652c179f34f034d3 (32 x AgentTesla, 22 x Formbook, 5 x a310Logger) |
| ssdeep | 24576:h5EmXFtKaL4/oFe5T9yyXYfP1MAXDzU0EWmUKxe:hPVt/LZeJbInGizU0EnU |
| Threatray | 3'703 similar samples on MalwareBazaar |
| TLSH | T1F935AE0273C1D062FFAB95334F5AF6115ABC79260123A62F13981DB9BE701B1563E7A3 |
| TrID | 50.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 19.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.5% (.EXE) Win32 Executable (generic) (4504/4/1) 3.8% (.EXE) OS/2 Executable (generic) (2029/13) |
| Magika | pebin |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe upx-dec |
abuse_ch
UPX decompressed file, sourced from SHA256 db2271f6304ac6140d219a6a092c757e07dbe0fc342d62b9ba83dc7e0f005cdaUPX unpacked
This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.
| File size (compressed) : | 580'608 bytes |
|---|---|
| File size (de-compressed) : | 1'086'976 bytes |
| Format: | win32/pe |
| Packed file: | db2271f6304ac6140d219a6a092c757e07dbe0fc342d62b9ba83dc7e0f005cda |
Intelligence
File Origin
# of uploads :
1
# of downloads :
121
Origin country :
NLVendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Malware family:
agenttesla
ID:
1
File name:
z41factura-9876.exe
Verdict:
Malicious activity
Analysis date:
2025-12-04 14:03:42 UTC
Tags:
auto-startup stealer ultravnc rmm-tool exfiltration smtp agenttesla
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Verdict:
Malicious
Score:
97.4%
Tags:
autorun autoit emotet lien
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint keylogger masquerade microsoft_visual_cc packed
Verdict:
Malicious
Labled as:
Lazy.Generic
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T15:18:00Z UTC
Last seen:
2025-12-05T03:40:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.d Trojan.Win32.Zenpak.sb PDM:Trojan.Win32.Generic Trojan-PSW.Win32.Disco.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Auzenpak.sb Trojan-PSW.MSIL.Agensla.acrr
Verdict:
Malicious
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Threat name:
Win32.Malware.Heuristic
Status:
Malicious
First seen:
2025-12-04 14:01:24 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
2/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 3'693 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
AgentTesla
Agenttesla family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
d5a65d6dc53a44eef295d2f9908bd7bde73e2457dda3347206d42e7c52ed5a43
MD5 hash:
1cda8620389ee4a4b2994ad9e98d1042
SHA1 hash:
16ae4abe5fe7de2b6bb5f5f9b0c5ca8b0ec21cfa
Detections:
AutoIT_Compiled
AutoIT_Compiled
SH256 hash:
988404e477e011502ee4a2c7706c1a6af59e5100a3af32edaa2f2fb64b0d41a6
MD5 hash:
298929227cdc10ff3a620d1c91ae295e
SHA1 hash:
f28d8a4a1b8be4ce82387607899144e73524cee9
Detections:
AutoIT_Compiled
SH256 hash:
c2c1ddc1a535c26e8335e2d2999590186b52ade66c210058b5651874edcbd1d3
MD5 hash:
4009f5d76518d188e34756e41c2f4b92
SHA1 hash:
78b790933064067a1190e8e9b93c31132a1b10f5
Detections:
AutoIT_Compiled
SH256 hash:
c71bed90fa985fa5c10c973c11ab8a4fce109d11579d9563bcaf96dc14be72e3
MD5 hash:
0cc401dc30e5ba772625d9f2227e9234
SHA1 hash:
f02d5d749b422284b4d62d0f1f9920926b662602
Detections:
win_agent_tesla_g2
AgentTesla
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
SH256 hash:
d5a65d6dc53a44eef295d2f9908bd7bde73e2457dda3347206d42e7c52ed5a43
MD5 hash:
1cda8620389ee4a4b2994ad9e98d1042
SHA1 hash:
16ae4abe5fe7de2b6bb5f5f9b0c5ca8b0ec21cfa
Detections:
AutoIT_Compiled
AutoIT_Compiled
SH256 hash:
00bd5f41232ce1a76bff31b9f84ac83513ad34db9cee6d9dc40df20032df7971
MD5 hash:
139d5ed5dbacabf9f973d6cdf28dacfe
SHA1 hash:
7be664ba82bed8c04287683a965556783e8b79cf
Detections:
win_agent_tesla_g2
AgentTesla
Agenttesla_type2
INDICATOR_EXE_Packed_GEN01
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTeslaV3 |
|---|---|
| Author: | ditekshen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | AgentTeslaV5 |
|---|---|
| Author: | ClaudioWayne |
| Description: | AgentTeslaV5 infostealer payload |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | INDICATOR_EXE_Packed_GEN01 |
|---|---|
| Author: | ditekSHen |
| Description: | Detect packed .NET executables. Mostly AgentTeslaV4. |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many email and collaboration clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing Windows vault credential objects. Observed in infostealers |
| Rule name: | malware_Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | TH_Generic_MassHunt_Win_Malware_2025_CYFARE |
|---|---|
| Author: | CYFARE |
| Description: | Generic Windows malware mass-hunt rule - 2025 |
| Reference: | https://cyfare.net/ |
| Rule name: | Windows_Generic_Threat_9f4a80b2 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_AgentTesla_ebf431a8 |
|---|---|
| Author: | Elastic Security |
| Reference: | https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.