MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6b6e3664095437f4984389106b6609575fbd411c38f71f696e148ec7df15c14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	f6b6e3664095437f4984389106b6609575fbd411c38f71f696e148ec7df15c14
SHA3-384 hash:	bb634f6ed30b66549039c31935c037b3c6a2a40322eca5dc105155c95dc1dc93b080773a426c3df203acbb9de13f2da2
SHA1 hash:	dc7428fcb7f9b33a7e49b5a96cc743983951a071
MD5 hash:	fd5fbe534669e2b0fd7b50bd8acf1342
humanhash:	connecticut-carolina-magnesium-blossom
File name:	order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	276'720 bytes
First seen:	2025-03-17 22:27:53 UTC
Last seen:	Never
File type:	bat
MIME type:	text/plain
ssdeep	3072:1iRhMLJPZqk2JK81Pq4H4LxIcdhUbUY8pCxhi3FWO+Hf2v96qduHum:GhOJPZqtJSC4LxIA3bpdAHf2yum
Threatray	830 similar samples on MalwareBazaar
TLSH	T15F44BF3AC75C7EE84BB665D357EE2368805C8FCF66758688E815C4743CE0D8D9BA244C
Magika	txt
Reporter	smica83
Tags:	AgentTesla bat ftp-hitplas-ro

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

order no_3_17_2025 ref_HR 6473876476374647464657464564764746.bat

Verdict:

Malicious activity

Analysis date:

2025-03-17 22:31:51 UTC

Tags:

stealer evasion ultravnc rmm-tool agenttesla ftp exfiltration susp-powershell

Link:

https://app.any.run/tasks/70d544df-3476-401e-8031-483c8bbc7dd3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d8b68f3962f1a6f4727469

Tags:

shell virus lien sage

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade obfuscated

Link:

https://www.filescan.io/uploads/67d8a1fe5663b080596e9c45/reports/300d10ce-91d0-4a08-b5fe-c16bd813b4f8/overview

Verdict:

Suspicious

Labled as:

BAT/Agent.AZY

Link:

https://www.hybrid-analysis.com/sample/f6b6e3664095437f4984389106b6609575fbd411c38f71f696e148ec7df15c14

Result

Verdict:

MALICIOUS

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Result

Threat name:

AgentTesla, Batch Injector

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1640973

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

Found malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious PowerShell Parameter Substring

Suricata IDS alerts for network traffic

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AgentTesla

Yara detected Batch Injector

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f6b6e3664095437f4984389106b6609575fbd411c38f71f696e148ec7df15c14

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6b6e3664095437f4984389106b6609575fbd411c38f71f696e148ec7df15c14/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=623ogzsasvbx6smehciqnntasv27xvaryohxd5uw4feoy7prlqka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

867fae444c5935d14659dd105155a8cc0b0b2a4e0faf1dc5e684fe72dd0bd4ea

AgentTesla

a733065ba4e8987727892b1c9ff5e562624385b175ed2e80af74c1fc4579bd58

AgentTesla

bd1b8534eeefca6573bd8f3e7a3fdbbdb517bddb8daca483d53124dba3cca9b6

AgentTesla

e7db3ac5de235ef432d55b8fd2bf0f400ad26690b7efbb513d9d3cf178bf393d

AgentTesla

ecade566a9d6d611fe4ee178d686516aad0c5b0af39d07b8e4d9e7900bb3aec8

AgentTesla

ee7a41725da2bdf69d892c1ac563b9d11b317ff6bdf8971937abafca74d33c62

AgentTesla

error

AgentTesla

f1766635b1f5e7015ff13d8b6998366b45550d8be505f002b8e6192db3e503e7

AgentTesla

+ 820 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection discovery execution keylogger spyware stealer trojan

Link:

https://tria.ge/reports/250317-2dqj8asry5/

Behaviour

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Blocklisted process makes network request

AgentTesla

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample