MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3236dfd6615ed1b4183d5051be1da83a47f107f265c7f64a76b5f4f76fc0282. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 21


Intelligence 21 IOCs YARA 4 File information Comments

SHA256 hash: e3236dfd6615ed1b4183d5051be1da83a47f107f265c7f64a76b5f4f76fc0282
SHA3-384 hash: c67f140d0076a4a8e4a636819fc7aa26de4cc4a5a2c7a77de7b1200b37cf5973c021baaea8c3e8a5ce0ebb80b5edd002
SHA1 hash: 510c1ae7855c4997d12171ae2ee0656e6a5537b5
MD5 hash: 2de8eb19b01816ede7fe8fead6ff03be
humanhash: stream-pluto-stream-summer
File name:saldo pendiente.exe
Download: download sample
Signature AgentTesla
File size:945'152 bytes
First seen:2026-07-01 15:46:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'079 x AgentTesla, 20'050 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:JQ48E6clBquHNnLfzT0oRNGWbAp3bbZS:JQ48slBqsZLfzT0WxAp
Threatray 3'693 similar samples on MalwareBazaar
TLSH T12715226167A9CA62D8EB83F90AB3E37043B47D1D6522D22E4FD87CCB7865F844604793
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
177
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
ID:
1
File name:
saldopendiente.exe
Verdict:
Malicious activity
Analysis date:
2026-07-01 15:51:19 UTC
Tags:
auto-reg stealer ultravnc rmm-tool agenttesla

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
micro virus lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-01T12:20:00Z UTC
Last seen:
2026-07-02T10:45:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Dnoper.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Agensla.g Trojan-PSW.MSIL.Agensla.d HEUR:Trojan-Spy.MSIL.Noon.gen HEUR:Trojan-Spy.MSIL.Agent.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Stealer.FTP.C&C Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.Agensla.TCP.C&C Trojan-Dropper.Win32.Injector.sb PDM:Trojan.Win32.Generic Backdoor.Win32.Androm.sb
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1936267 Sample: saldo pendiente.exe Startdate: 01/07/2026 Architecture: WINDOWS Score: 100 45 ftp.freshnest2u.com 2->45 47 pki-goog.l.google.com 2->47 49 4 other IPs or domains 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 12 other signatures 2->73 8 saldo pendiente.exe 1 6 2->8         started        12 powershell.exe 2->12         started        14 powershell.exe 19 2->14         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\ylfzurtPYDRjY.exe, PE32 8->35 dropped 37 C:\...\ylfzurtPYDRjY.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\AppData\...\j2tgb43mxx5.ps1, ASCII 8->39 dropped 41 C:\Users\user\...\saldo pendiente.exe.log, ASCII 8->41 dropped 75 Creates autostart registry keys with suspicious values (likely registry only malware) 8->75 77 Creates an autostart registry key pointing to binary in C:\Windows 8->77 79 Writes to foreign memory regions 8->79 81 2 other signatures 8->81 16 MSBuild.exe 15 2 8->16         started        20 ylfzurtPYDRjY.exe 2 12->20         started        22 conhost.exe 12->22         started        24 ylfzurtPYDRjY.exe 3 14->24         started        26 conhost.exe 14->26         started        signatures6 process7 dnsIp8 43 ftp.freshnest2u.com 218.208.91.162, 21, 49690, 49693 TTSSB-MYTMTECHNOLOGYSERVICESSDNBHDMY Malaysia 16->43 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->53 55 Tries to steal Mail credentials (via file / registry access) 16->55 57 Writes to foreign memory regions 20->57 59 Allocates memory in foreign processes 20->59 61 Injects a PE file into a foreign processes 20->61 28 MSBuild.exe 20->28         started        31 MSBuild.exe 20->31         started        63 Antivirus detection for dropped file 24->63 65 Multi AV Scanner detection for dropped file 24->65 33 MSBuild.exe 2 24->33         started        signatures9 process10 signatures11 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->83 85 Tries to steal Mail credentials (via file / registry access) 28->85 87 Tries to harvest and steal ftp login credentials 28->87 89 Tries to harvest and steal browser information (history, passwords, etc) 28->89
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.49 Win 32 Exe x86
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-01 15:14:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla collection discovery execution keylogger persistence spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Family: AgentTesla
Unpacked files
SH256 hash:
e3236dfd6615ed1b4183d5051be1da83a47f107f265c7f64a76b5f4f76fc0282
MD5 hash:
2de8eb19b01816ede7fe8fead6ff03be
SHA1 hash:
510c1ae7855c4997d12171ae2ee0656e6a5537b5
SH256 hash:
59dad66b983788b5010a43080a28ce7a26a33b329fe0205c49a599b66d61ee8f
MD5 hash:
c5386620c1bec9664de1a438ad8f1e32
SHA1 hash:
2bdaabec23ee27e5c6f1c43df38c3ebdd7c7b1b6
SH256 hash:
796d4c739c71a4ebee216d0da47f1880c25e0e9738d60c2c9c0028cda739fa92
MD5 hash:
6ff5b1a33f39843637bace45c4d52984
SHA1 hash:
af7ddf51223e8c9abc4418219563be7529712c30
Detections:
win_agent_tesla_g2 triage_agenttesla_infostealer
SH256 hash:
d0c56d41323ef397002022ba5cf1150120b1755a7c488f64b739daec22b3f8a4
MD5 hash:
7a1ab3a8c43a08a3a5f1c8dfdf4446cf
SHA1 hash:
f58b0648e0b5fe3ab1e4d2e4bc996f8948581200
Malware family:
AgentTesla
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe e3236dfd6615ed1b4183d5051be1da83a47f107f265c7f64a76b5f4f76fc0282

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments