MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
SHA3-384 hash: 5bcc4d8d57a9685c0ed08ddbf81af386e1a8a79a6ec91cb5ecdeab81856c07e6ea2b2579913304ae738d631b7d356eb6
SHA1 hash: bcbfde26df11f9fdf858f9cb2a612103ec062248
MD5 hash: ad6af11e1dba66be68336e8698cd35a2
humanhash: sierra-seventeen-michigan-lamp
File name:justificante de pago.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:889'856 bytes
First seen:2025-09-11 07:46:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:bbRQYtj5n5ijpDm0za/BLRViWppjWwKmYu:P7vn8f6jFX
TLSH T1C3150114166ECB06E1664FB41971D2B40B78BFADE812E20B9FC53EDF783AB50A941347
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:AgentTesla exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
justificantedepago.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 07:52:32 UTC
Tags:
auto-sch-xml evasion stealer ultravnc rmm-tool agenttesla netreactor
Link:
https://app.any.run/tasks/e01caa67-d3dd-48d9-8578-19e7306fb6d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26871/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c27e996e66ba602d7a4fa5
Tags:
micro spawn lien sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Launching a service
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/68c27e807328794829267c46/reports/bbf35246-433e-4e32-869c-f8a3f231c27d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T03:38:00Z UTC
Last seen:
2025-09-11T03:38:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-Spy.MSIL.Agent.sb HEUR:Trojan.MSIL.Taskun.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb HEUR:Trojan.MSIL.Taskun.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.MSIL.Injector.gen Trojan-PSW.Win32.Stealer.sb Trojan-PSW.Win32.Disco.sb Trojan-PSW.MSIL.Agent.sb Trojan-PSW.MSIL.Agensla.sb Trojan-PSW.MSIL.Agensla.g
Link:
https://opentip.kaspersky.com/f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c/results?tab=lookup
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb7b7b6a-e396-43dc-80a3-c83613147c18
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775428
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775428 Sample: justificante de pago.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 48 smtp.gmail.com 2->48 50 ip-api.com 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 14 other signatures 2->62 8 justificante de pago.exe 7 2->8         started        12 PudHkkWFsym.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\PudHkkWFsym.exe, PE32 8->40 dropped 42 C:\Users\...\PudHkkWFsym.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpEBD0.tmp, XML 8->44 dropped 46 C:\Users\...\justificante de pago.exe.log, ASCII 8->46 dropped 64 Adds a directory exclusion to Windows Defender 8->64 14 justificante de pago.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        28 3 other processes 8->28 66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->70 72 Injects a PE file into a foreign processes 12->72 22 PudHkkWFsym.exe 12->22         started        24 schtasks.exe 12->24         started        26 PudHkkWFsym.exe 12->26         started        signatures6 process7 dnsIp8 52 ip-api.com 208.95.112.1, 49687, 49692, 80 TUT-ASUS United States 14->52 54 smtp.gmail.com 142.250.101.108, 49688, 49693, 587 GOOGLEUS United States 14->54 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->74 76 Loading BitLocker PowerShell Module 18->76 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->78 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal ftp login credentials 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86
Link:
https://app.malva.re/file/ad6af11e1dba66be68336e8698cd35a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c/
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 07:47:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mbgvtdtzfjxwnb7flwj5wq3khhb5myeufp4xw4v3cfcshbmesga._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
unc_loader_001
Create hunting rule
Similar samples:
error
AgentTesla
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250911-jmtzwsxks5/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b17a3c81-2189-4864-8fb6-51650926d882
Unpacked files
SH256 hash:
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
MD5 hash:
ad6af11e1dba66be68336e8698cd35a2
SHA1 hash:
bcbfde26df11f9fdf858f9cb2a612103ec062248
Link:
https://www.unpac.me/results/11ce9eee-1d4f-439d-b6c9-19cd004d07aa/
SH256 hash:
4a8af9946518b7adfabab291dccfa4f3e27acac1ef07d4f8a69ebb488994bac1
MD5 hash:
56c90d081546763ea9a07679d338a4bc
SHA1 hash:
344a336b0717e7dd13e8afe573c54bde42947281
Link:
https://www.unpac.me/results/11ce9eee-1d4f-439d-b6c9-19cd004d07aa/
SH256 hash:
3990e25771cb07beec4202f89083bd9d088eafb19ca9588f1ce475db5f3885ca
MD5 hash:
b8cd58f6efea6336d15131774786e4be
SHA1 hash:
bd90879ef77a42c357d2cfd4a450207c98e4b9f0
Detections:
win_samsam_auto
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MetaStealer_NET_Reactor_packer
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/11ce9eee-1d4f-439d-b6c9-19cd004d07aa/
Parent samples :
5a14e9589b97d29fd97f25d0a2abc608131e3148382439b692232ffab2cf590a
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682
SH256 hash:
6e638837fb33e9ba4b455424ad172a6718c9f69a37b0d899b3c871bb648cabb9
MD5 hash:
d1956d0a3a2f20b24458aa40de266dcc
SHA1 hash:
f3d35230b87f97a8a24412853ac53d0f311ab247
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/11ce9eee-1d4f-439d-b6c9-19cd004d07aa/
SH256 hash:
fdb4f30c93b7bd02447547c279aa33ed19c3dfa0a3e8d11f14f89b69dc76fd8a
MD5 hash:
03719936e7ab21672dbc70858f186bb6
SHA1 hash:
04bf6493b25b35e7b9f37bfd4829654ef3fc6cfd
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/11ce9eee-1d4f-439d-b6c9-19cd004d07aa/
Parent samples :
5a14e9589b97d29fd97f25d0a2abc608131e3148382439b692232ffab2cf590a
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682
SH256 hash:
f213013e752edb96853b1bdbda9ca10c98e926d7c2e6b0a01ba5eb131dcb473e
MD5 hash:
ac81028a03b49dd0ddcc540e479cf41d
SHA1 hash:
06c5ccbdf80958eb5935eee73258cbbc86a03b07
Detections:
AgentTesla
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Link:
https://www.unpac.me/results/11ce9eee-1d4f-439d-b6c9-19cd004d07aa/
Parent samples :
5a14e9589b97d29fd97f25d0a2abc608131e3148382439b692232ffab2cf590a
f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c
b1e515e0e9d78bae0e3bf796c00627166a0be48cc6c70b0ea97c1f00cb35d682
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3026acc73c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f3026acc73c9537b343f2aec9eda1b51ce1eb304a15fcbdb95d88a291c2c248c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26871/

Comments