MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef
SHA3-384 hash: 6e6b9252c24bba42e16c59fb97fa9916d339d327c3ab5797def81b8b471b854403e23abb0f358032b44ad1a5c68b5b60
SHA1 hash: 26c74ef577843501c6cb0633fc6ef050c8ee7ea7
MD5 hash: 1840d1a3c683071939710d4a7ffd2537
humanhash: happy-cup-sweet-steak
File name:Abstinenssymptomers.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:835'566 bytes
First seen:2025-10-17 11:45:03 UTC
Last seen:2025-11-06 10:52:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (65 x Formbook, 45 x GuLoader, 28 x RemcosRAT)
ssdeep 24576:9adlbh/VWpdOee/gh7FmbH2z5KAhBgV5vNgLr:glb+Igh7FmbWz5U5Kf
Threatray 2'153 similar samples on MalwareBazaar
TLSH T1A50523076BE1D8A3E191577D143127B37ECE6003269A324BAFE4BF26B9691C5823F744
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 04e0c6e0f0f0b290 (2 x GuLoader, 1 x AgentTesla)
Reporter threatcat_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
155
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
_eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef.exe
Verdict:
Malicious activity
Analysis date:
2025-10-17 11:50:21 UTC
Tags:
evasion stealer ultravnc rmm-tool agenttesla
Link:
https://app.any.run/tasks/9cdbeee1-c310-427d-8b5d-c987675ebfa0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33197/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f22c7772d478f90598a107
Tags:
injection obfusc blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer masquerade microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68f22c753fe1a004456b9fbc/reports/0fa5d1d9-d7b1-4a42-af18-8146a534c63b/overview
Verdict:
Malicious
Labled as:
Agent.KVC.gen
Link:
https://www.hybrid-analysis.com/sample/eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-17T03:38:00Z UTC
Last seen:
2025-10-19T09:08:00Z UTC
Hits:
~10000
Detections:
Backdoor.Androm.HTTP.Download Trojan.NSIS.Makoob.sba VHO:Backdoor.Win32.Remcos.gen Trojan-Downloader.Win32.Minix.sb Trojan.Win32.Guloader.sb Trojan.NSIS.Makoob.sbd Trojan.NSIS.Makoob.sbb HEUR:Trojan.Win32.Guloader.gen Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.Agensla.TCP.C&C NetTool.PlainTextCredentials.FTP.C&C
Link:
https://opentip.kaspersky.com/eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef/results?tab=lookup
Malware family:
Unlabeled
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e951f957-b548-4b71-a9db-07106c88c760
Result
Threat name:
AgentTesla, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1797113
Signature
Antivirus detection for URL or domain
Check if machine is in data center or colocation facility
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797113 Sample: Abstinenssymptomers.bat.exe Startdate: 17/10/2025 Architecture: WINDOWS Score: 100 19 ip-api.com 2->19 21 ftp.antoniomayol.com 2->21 23 antoniomayol.com 2->23 31 Suricata IDS alerts for network traffic 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 4 other signatures 2->37 7 Abstinenssymptomers.bat.exe 2 73 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 17 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 7->17 dropped 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Tries to detect virtualization through RDTSC time measurements 7->43 45 Switches to a custom stack to bypass stack traces 7->45 11 Abstinenssymptomers.bat.exe 15 8 7->11         started        signatures6 process7 dnsIp8 25 antoniomayol.com 162.241.62.63, 21, 49723 UNIFIEDLAYER-AS-1US United States 11->25 27 ip-api.com 208.95.112.1, 49722, 80 TUT-ASUS United States 11->27 29 213.209.157.231, 49720, 80 M247GB Germany 11->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->51 53 2 other signatures 11->53 signatures9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/1840d1a3c683071939710d4a7ffd2537
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-10-17 07:15:40 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ncvssxhfadc3l7k5nlqatiwrsb3kfh3vdv4tbf6vryguss7e3xq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
07ac845eee39222cc487d6dfe0a50f12874af6b05ea0390b5d6e4e4e64d3e18c
AgentTesla
1ba170ab165a3a134d7328c275ca25cbabc37eaf2779c8cb04de4b4d9a42d3fb
AgentTesla
209efa13cbc37d4365f43a1211c375585cc793f28fa642074d4b4b1ad4d68046
AgentTesla
3cbc45b5cb0b09e6dd7b74580b610fdf2c54a1790b20b646ca77aa6d55cbd769
AgentTesla
519ab6b3a7f312dd520533bd579b161fd7a0fc7b07204ce22fe3b6279316c0b4
AgentTesla
658e1034df7e4b35e11fb4403be312fa834bccce8c381b81b6623dfc26a9a2cf
AgentTesla
714aa4f8bd5e0cd65d45818cee8ea169ae1fbe0bc274a5a39ef68a8803528ad5
AgentTesla
806c54f6774b7fd87697f35797bf146b7b72367c5ccb17ed21e10de5cb7d9020
AgentTesla
9e78e9fe1051d21e27a8b637b8b8a096623a0a0880de1e46bf07e3bd036e8914
AgentTesla
c90b846cc5845b9f5ad7dd14d88d42e1d7b6093094b672ec679ef232ea694698
AgentTesla
error
AgentTesla
+ 2'143 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:guloader discovery downloader keylogger spyware stealer trojan
Link:
https://tria.ge/reports/251017-nw4b5szshw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Guloader family
Guloader,Cloudeye
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/89c08c18-b869-4cb4-8b7d-25639b9d7c0e
Unpacked files
SH256 hash:
eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef
MD5 hash:
1840d1a3c683071939710d4a7ffd2537
SHA1 hash:
26c74ef577843501c6cb0633fc6ef050c8ee7ea7
Link:
https://www.unpac.me/results/d5ff8651-13f7-402e-9ff4-239b02f26c67/
SH256 hash:
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36
MD5 hash:
549ee11198143574f4d9953198a09fe8
SHA1 hash:
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1
Link:
https://www.unpac.me/results/d5ff8651-13f7-402e-9ff4-239b02f26c67/
SH256 hash:
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
MD5 hash:
192639861e3dc2dc5c08bb8f8c7260d5
SHA1 hash:
58d30e460609e22fa0098bc27d928b689ef9af78
Link:
https://www.unpac.me/results/d5ff8651-13f7-402e-9ff4-239b02f26c67/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb45594ae728/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_9f4a80b2
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe eb45594ae728062dafeaeb57004d168c83b514fba8ebc984beac706a4a5f26ef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33197/

Comments