MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a
SHA3-384 hash: 4d455635cc107a434de1effb77456ae113a0c689f48a21f62040510ad5ed95bb4e5e7b83d4ba666bdae8bef543e1462e
SHA1 hash: 301f2ba25884370ca65082228ba2adf72e702287
MD5 hash: 30b20cce036b60cdc66e039c33447b92
humanhash: one-chicken-shade-texas
File name:PO_5778.js
Download: download sample
Signature AgentTesla
Create hunting rule
File size:24'556'024 bytes
First seen:2026-06-17 06:03:19 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:KPuuuuuuuuuuuuuuuu/uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu/d:oPsNDB
Threatray 3'625 similar samples on MalwareBazaar
TLSH T1BF37E70232BFD70CF1F34E6D86E670946A77BBD99A75C7D801B0184E05E5C908AA2F67
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter lowmal3
Tags:AgentTesla js

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3238c954a045c34089cd24
Tags:
ransomware autorun shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin repaired schtasks
Link:
https://www.filescan.io/uploads/6a3238c0bf16337e43ca6523/reports/523166ff-b20f-40ed-bf8f-77c671352f29/overview
Verdict:
Suspicious
Labled as:
PowerShell/Obfuscated.BE trojan
Link:
https://www.hybrid-analysis.com/sample/fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a
Verdict:
Malicious
File Type:
js
First seen:
2026-06-17T00:22:00Z UTC
Last seen:
2026-06-17T03:07:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a/results?tab=lookup
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1929171
Signature
.NET source code contains potential unpacker
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929171 Sample: PO_5778.js Startdate: 17/06/2026 Architecture: WINDOWS Score: 100 37 0ebthsfmaa.ufs.sh 2->37 39 ip-api.com 2->39 41 bg.microsoft.map.fastly.net 2->41 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 14 other signatures 2->61 8 wscript.exe 1 4 2->8         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 33 C:\Users\user\AppData\Local\...\temp name.js, Unicode 8->33 dropped 35 C:\Users\user\AppData\Local\Temp\nIgFz.ps1, ASCII 8->35 dropped 71 Wscript starts Powershell (via cmd or directly) 8->71 73 Bypasses PowerShell execution policy 8->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 8->75 77 3 other signatures 8->77 15 powershell.exe 14 15 8->15         started        19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        45 127.0.0.1 unknown unknown 12->45 file6 signatures7 process8 dnsIp9 47 0ebthsfmaa.ufs.sh 104.21.43.201, 443, 49682 CLOUDFLARENET-CloudflareIncUS Canada 15->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->49 51 Writes to foreign memory regions 15->51 53 Injects a PE file into a foreign processes 15->53 23 MSBuild.exe 15 2 15->23         started        27 conhost.exe 15->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        signatures10 process11 dnsIp12 43 ip-api.com 208.95.112.1, 49683, 80 TUT-AS-TotalUptimeTechnologiesLLCUS United States 23->43 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->63 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 23->69 signatures13
Score:
78%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Family.AGENTTESLA
Link:
https://tip.neiki.dev/file/fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tnhl233ymf26zacru2mbctp3tr5creh4kh2f6ru2c6uhl4swbfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06342e1268df105c26721f1410fc92b84b4ea86e239aa0fb148728c10d292cce
AgentTesla
145512ad0ee1ebe7ca3e4298be88ffa7cdb984b535128430a65acccc9d19ff14
AgentTesla
35a2929d68a24dc02b99f6e04c102108b0474dc8755fabe90084db8b9270b89e
AgentTesla
3ee1860c0f5353263b70752681bd78872a5b9abf642b93669993f28f83933215
AgentTesla
7101b18d8de608de1c618f221e5bbab6c95973b0a1088c28f384ba3e9c008488
AgentTesla
a4e6ca7ea084e28449235ef58fa0f8d30f04d8af542fdc2a4c9fa243e10762ec
AgentTesla
ce8cdbdac7f2dc6b5b8068a910e3309c97bf897904753447ed842d4fef60cdb6
AgentTesla
error
AgentTesla
+ 3'615 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/260617-gsefaaa16m/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Badlisted process makes network request
Family: AgentTesla
Malware Config
Dropper Extraction:
https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fjs%2006062026.txt?alt=media&token=f33cc0da-35e7-4c6f-8da1-9a5536de62f5
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Java Script (JS) js fcda75eb7bc30baf64028d34c08a6fdce3d14487e28fa2fa34d0bd43af92b04a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments