MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
SHA3-384 hash: 4cb7ee026242e98c4d0691b4b3a8d9b5202656ebe57c2afb6607ef9ba61f236e75e5780eda04d262216340b2d60d9681
SHA1 hash: d5c6169b2c33e832f118e9aa18ce9e01fc0fda01
MD5 hash: 9b11bebdd9a12d8d4fd408cefd12103e
humanhash: four-mike-fourteen-green
File name:ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
Download: download sample
Signature AgentTesla
Create hunting rule
File size:749'576 bytes
First seen:2025-10-14 15:42:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:CvAa63lX1bD1MMwPf80Cep9dROOtrPrjGP85L0argJL3h3feQB0Rrv9D6HQkxY6t:CvAa63lX1bD1MMwPf80Cep9dROOtrPrA
Threatray 3'420 similar samples on MalwareBazaar
TLSH T1D8F41228376AE806C59E0F755CB2C2B14BB9BE8EA811C3479DF9BDEF75763042141362
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter JAMESWT_WT
Tags:AgentTesla detarcoopmedical-com exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
_ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35.exe
Verdict:
Malicious activity
Analysis date:
2025-10-14 15:54:44 UTC
Tags:
netreactor evasion stealer agenttesla auto-sch-xml
Link:
https://app.any.run/tasks/fdae5afe-6f7d-4e46-9838-e3763e58f5d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32753/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee6faf97a16d00a8d9e7da
Tags:
virus spawn lien msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Sending a custom TCP request
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
agenttesla base64 bitmap expired-cert infostealer invalid-signature lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks signed stego vbc vbnet windows
Link:
https://www.filescan.io/uploads/68ee713a71883144ef36ac75/reports/3cc35b25-470e-4b97-8bda-0f010062710b/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-05-13T01:59:00Z UTC
Last seen:
2025-10-14T06:51:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9e7e560c-f4a1-43cf-a4f8-aa44dd152399
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.20 Win 32 Exe x86
Link:
https://app.malva.re/file/9b11bebdd9a12d8d4fd408cefd12103e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2025-05-13 04:40:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=56pbiqdytjdm2ahl4666quto57ia43itmmuz2oxdygyb5ci5pm2q._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
08379da65d80bac62f2bed130768e19210cf2344f74845a977fb8fa8237fb43d
AgentTesla
350ea0a5caf7e7eef53a845593e9eae15bc11e62ed1ba27e709a20a357bacada
AgentTesla
61823f8b8948aa13ec857248830031280ae6cb0eb0b64254fca74983782ed9ce
AgentTesla
cf594d0970d6a71c802e5a261b41c2e2fa68f2ff7958d6f48872bc4954efd34d
AgentTesla
f475ac6f377d0f017bbce87d87ab525668a1e691146e3c100b28d20a8727e58d
AgentTesla
+ 3'410 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/251014-s9znbshv7d/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6e2be3c-ea38-4a4d-8fd4-d3c88830fc7c
Unpacked files
SH256 hash:
ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
MD5 hash:
9b11bebdd9a12d8d4fd408cefd12103e
SHA1 hash:
d5c6169b2c33e832f118e9aa18ce9e01fc0fda01
Link:
https://www.unpac.me/results/c0438e43-ec5d-41a2-ba76-f2664284d70d/
SH256 hash:
10e21954bcf867e93944211039cb569b8bc79ed45fbf610d305f26a3a0a76917
MD5 hash:
29a7454e361a19658432a4e053612081
SHA1 hash:
15b6215b3f068f2ca6bceed031ba85e62419620d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c0438e43-ec5d-41a2-ba76-f2664284d70d/
SH256 hash:
a1cf25d1db64f0770a13d3179a2709f08c231b5133c7f2adb2fa450bc69c887b
MD5 hash:
3b5b4b45e6beb94f7598b7dd02acc32d
SHA1 hash:
1d7fbf2cc01a132ebf0dca52aee4f88280a20055
Detections:
win_agent_tesla_g2
Create hunting rule
AgentTesla
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/c0438e43-ec5d-41a2-ba76-f2664284d70d/
Parent samples :
a1cf25d1db64f0770a13d3179a2709f08c231b5133c7f2adb2fa450bc69c887b
ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
bcfe19d0400c2037c85aafca7fc2850f263334557f8aa3126a4c88f05dd1d51d
89683b224bb5a144fd44d21c13713a7c8a2108f7869dc6def98f254dff322ece
3938db6087be563a6827bb4a7b6ad3dde34e7eb4215ba65ff0bf33a498b821c7
SH256 hash:
e65bc4732f18966eeaba9700bb83489074f63082cf28bc05e90d278a1761ac25
MD5 hash:
f568aa0b7be96ed2102e8de46d59248b
SHA1 hash:
5031c8d479988ff22716c13646fc6ba8cd6a78d8
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c0438e43-ec5d-41a2-ba76-f2664284d70d/
Parent samples :
eba602f26ca14d5e494059001ecf363110ba504d9e0184b8abfa45905bd650cc
3ff3db68a75d4c52f3910396564f35999b3571ed75850df0c403b851433582ec
285bd22ba49a3de603e9fff856a0bd3111e43629ad29e24bb41178afd93ece23
54f015287731308328345efdc18a593d3b5a57efdd04278efb9da7f5127df37f
ca081d2e9e512e1516edc180262c4309dda83ad714a281abd26fc1a658bced01
c3f39d499f8599e009697219a0c0f9b5fd91848b693fcaf4abdc0d15bdc67de0
44123cf2ed8f575c4643cacfcd51e18188edeca34b343af433c98ac03fb691ea
76f35c8ecea90bb9709af24f9183489a711f04fc00f26d3cae74fbcdf7bde6c5
d539ab19fd873bd36c22b38f3d8a85683220a7bcce13a9c962652d6165c33c2e
ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef9e1440789a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef9e1440789a46cd00ebe7bde8526eefd00e6d1363299d3ae3c1b01e891d7b35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32753/

Comments