MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 20 File information Comments

SHA256 hash:	ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83
SHA3-384 hash:	cbacae8ec8f5cce9bb7994ee00049f0c3ed8e44d93cd80a73398439152125e23df3c17d97e194b5c09fd7007881a39fc
SHA1 hash:	723c49c4a520096d30886109add312f83ab9e000
MD5 hash:	124f9b6b23e184f38acd4d4867130db8
humanhash:	black-twenty-undress-mexico
File name:	9.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	924'672 bytes
First seen:	2025-10-16 09:16:11 UTC
Last seen:	2025-10-22 06:09:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:hAw4MROxnFXOVrrcI0AilFEvxHPTrooV:hWMi58rrcI0AilFEvxHP
Threatray	276 similar samples on MalwareBazaar
TLSH	T12115BF013BADBD06C1BE3679B7731AC907B8ED0A5092FB4E089451AD1D9FB01BD163A7
TrID	58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.4% (.EXE) Win64 Executable (generic) (10522/11/4) 5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	BlinkzSec
Tags:	144-31-189-163 AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Malware family:

orcus

ID:

File name:

9.exe

Verdict:

Malicious activity

Analysis date:

2025-10-16 09:17:23 UTC

Tags:

rat orcus

Link:

https://app.any.run/tasks/562c41c7-615b-44ff-99fd-2b0afb957e49

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

OrcusRAT

Link:

https://www.capesandbox.com/analysis/33045/

Detection(s):

Win.Packed.Generic-9805849-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f0b7ea72d478f905984808

Tags:

dropper packed orcus micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file

Connection attempt

Creating a window

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

agenttesla anti-debug anti-vm base64 cmd evasive explorer fingerprint infostealer lolbin obfuscated orcusrat packed reconnaissance regedit rundll32 stealer stealer vbnet

Link:

https://www.filescan.io/uploads/68f0b7ffdf5cb32bf1ef9ac6/reports/50641439-972e-46a1-a2a8-2b6a1ab180c1/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-16T06:25:00Z UTC

Last seen:

2025-10-17T07:40:00Z UTC

Hits:

~100

Detections:

Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Agent.sb HEUR:Trojan-Spy.MSIL.Generic HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.Win32.Generic Backdoor.MSIL.Orcus.sb

Link:

https://opentip.kaspersky.com/ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83/results?tab=lookup

Malware family:

Orcus RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/22647f30-3bda-4fbd-9dc9-590f93015ad9

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83

Verdict:

inconclusive

YARA:

12 match(es)

Tags:

.Net Executable Fody/Costura Packer Managed .NET PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86

Link:

https://app.malva.re/file/124f9b6b23e184f38acd4d4867130db8

Detection:

orcusrat

Link:

https://mwdb.cert.pl/sample/ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83/

Verdict:

Malicious

Threat:

Family.ORCUS

Link:

https://tip.neiki.dev/file/ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83

Threat name:

ByteCode-MSIL.Trojan.Sorcurat

Status:

Malicious

First seen:

2025-10-16 08:54:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

34 of 38 (89.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5u2sgfgdrdehu7bifvnocic7lzlgtze5lyh4qoidnh55jhz35kbq._file

Result

Malware family:

orcus

Score:

10/10

Tags:

family:orcus discovery persistence rat spyware stealer

Link:

https://tria.ge/reports/251016-k8vc8afm4s/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Orcurs Rat Executable

Orcus

Orcus family

Orcus main payload

Malware Config

C2 Extraction:

144.31.189.163:10134

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/999fcbd8-9990-4d93-95f0-9218b60ed0b8

Unpacked files

SH256 hash:

ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83

MD5 hash:

124f9b6b23e184f38acd4d4867130db8

SHA1 hash:

723c49c4a520096d30886109add312f83ab9e000

Detections:

win_orcus_rat_a0

OrcusRAT

Link:

https://www.unpac.me/results/8d1f344c-fab2-42e3-a935-928e263bf22e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed352314c388c87a7c282d5ae1205f5e5669e49d5e0fc8390369fbd49f3bea83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	ByteCode_MSIL_Backdoor_OrcusRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects OrcusRAT backdoor.

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifacts observed in infostealers

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	MAL_BackNet_Nov18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects BackNet samples
Reference:	https://github.com/valsov/BackNet

Rule name:	MAL_BackNet_Nov18_1_RID2D6D Create hunting rule
Author:	Florian Roth
Description:	Detects BackNet samples
Reference:	https://github.com/valsov/BackNet

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RAT_win_Orcus Create hunting rule
Author:	KrknSec
Description:	Detects Orcus RAT
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)