MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 20


Intelligence 20 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
SHA3-384 hash: 271e9fdc1677e952b4343085bfd6416350ecd0808fe9c2362b92f74c8dba9841dee9c1ac79af68c5e45f8f65fc6fb61c
SHA1 hash: a9dccd75e865afe41dec773f1b38b8862de7bebf
MD5 hash: 8956f11f39715db1b07331947bbcb0e5
humanhash: charlie-kentucky-muppet-east
File name:EKOKEY FOREIGN TRADE DOO.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:671'232 bytes
First seen:2025-04-17 13:45:20 UTC
Last seen:2025-04-17 13:45:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:pRAgCRx8OkazxX+zvfou6v08LOskuM1z0dX3wgtQNU/T/+B+mwEiG:pRtOkyYLV9k5c8AgzbGB+mS
TLSH T1C9E412053556EB16C2A52BF10D92D2BC2739AE8DE922D3174FDABDDFB432B046482353
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
486
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
EKOKEYFOREIGNTRADEDOO.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-04-17 13:49:22 UTC
Tags:
evasion stealer ftp agenttesla exfiltration netreactor
Link:
https://app.any.run/tasks/88b5f0cc-7e4a-490b-b268-a0b56cbef879

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/2727/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20705.8441.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680106e12203b3e10cd04495
Tags:
underscore lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/680105fd931404048d7ff4e2/reports/4491cd9f-bd54-4035-9b62-1bdf06a84af1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36c33f0c-f424-4841-8b57-e20c7f828391
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667327
Signature
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 10:31:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7umlgein4azl2a4qdpnmcxfqb7gbp4rjf7oxshs4ibzmv5ypvtea._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
agenttesla
Create hunting rule
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla discovery keylogger spyware stealer trojan
Link:
https://tria.ge/reports/250417-q2nvrazky2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Agenttesla family
Verdict:
Suspicious
Tags:
external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/ba049aad-1504-4d7a-971c-89ef3d38f0b8
Unpacked files
SH256 hash:
fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
MD5 hash:
8956f11f39715db1b07331947bbcb0e5
SHA1 hash:
a9dccd75e865afe41dec773f1b38b8862de7bebf
Link:
https://www.unpac.me/results/d7815633-8ac9-4197-9faf-9f05d1f8dc8c/
SH256 hash:
b53e698a2b8bd1a5742dadceda1a8e589129530f1e464a5c7ae52ef211ee29e2
MD5 hash:
7949cfdd1890328fefbfdc8d636e8f9a
SHA1 hash:
11fe749e9881578b852547e630898293cf0d4a73
Link:
https://www.unpac.me/results/d7815633-8ac9-4197-9faf-9f05d1f8dc8c/
SH256 hash:
2e1c76dd34739aea785df4f15b7466bcc7773c99d3951482d60692074300048a
MD5 hash:
06aaa234ecd9fa6dceb76c9e9d90b9ef
SHA1 hash:
6205bc461f2414ade237235451b3cb08b8497e49
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d7815633-8ac9-4197-9faf-9f05d1f8dc8c/
SH256 hash:
a7745746577828e675df9d9d252a6bfd940e5e415379838e9849d08b7a65cb6b
MD5 hash:
a0b53db27f8345237d9871f110a51104
SHA1 hash:
cd4330e55250289d072fead68b5cdb7c62b7a45e
Detections:
win_agent_tesla_g2
Create hunting rule
Agenttesla_type2
Create hunting rule
INDICATOR_EXE_Packed_GEN01
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
MALWARE_Win_AgentTeslaV2
Create hunting rule
Link:
https://www.unpac.me/results/d7815633-8ac9-4197-9faf-9f05d1f8dc8c/
Parent samples :
93c1f391cb06fe4cf2a57dc8236dc9b970d2afc688d5fbbc9abd4dc2ed4c089b
9720a63f66e6f0fe2d93c9bd9e1ca3df5ca8520b9eaad9f52bd41fcce8a731fe
f9510c8431f00936d5ad598f8cb291f8b7c332f3af0fed696a99a1474c0ed706
1ff4344aa791b6f759f9e9d9655c28b468e33fb13017e33f707fc623769cf2ed
fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8
6b0cd55a4c6a299025ba02dc9d1962b494401c31d0125651a19c655c7bfc2a8c
e4997c748608a44552daf6262f503b22f5d77e20bb4b411c6342bcf6c1690ff1
be382be770efca98969b48895a2e7c41595a77cd79154a730db6b5ea9f0d2270
240c09f1a97bb6068fbe9c61b6026c0997dc5f2a06ae80e0c15ec691f40f30ee
c37baca5c488614ed44b90ade56d534975201dfa94327ed216b3c87e3ff8cc7a
35f56e6019406ee4247dfaf7a96e210eee795c8b05dc3c3666a2f644a8d4beab
70bb4b9ac0088fce0935763104020af0a92019cb428e3babc917739aec044296
f4cc69d1063ddca10b48ccf8c8c1380585144405f1bf3f938bdf0906d6229020
d0fcc696c691aaa8f1e3af4d7f4fab044704d96cf3f908af6681175715dc62be
c0affc728572d1e897d2869bd72b870bbe6851423e77f4b026306ade7d978e25
9434611a36173f7b73f3e3392e2ae8be5031cfff80ddf9a6638d1ee1aa81d05d
013ac70a93289c1dd9d84ff03a4d4ffc6256f185b098c92ee8dda039201ef8ec
8e44219248894eb248a11f54284a1c9b999ea0177209907f868ab8bc2783b9b7
31a83a4477bc742ccccec7cd1ef6cf0b56fce9735efd420763eb1ac82ed81842
a33c0ffb1a4ff6c80695b6f068d8c9fd434086f091554d75a6d99205c26e805f
bdb7b7cd3368224c457242baf24c2235e60d077f13741363c2307f1fbccfe5ff
a4870649d8987960960d6ce4482ec7ea064c268eac6d85eec8caac07303b61cc
393fecc94068036d3e4515448c33085cc7d8b8374a98b401e37d3ff751be8dd7
4fe3d56a5cb89bdf31145b7ce1c17f22d8d1616dd491fdf1462bf623ca8b3a10
a0f63bbedc34b836ef3e4f2bae53abda8ac334c5541a6d12f5659c2b131db6a7
c3e60b1c3a6a89355139b5213bd09d61dce0505d36e792b972e24b99fbb89850
4cd5676a9e5f1f59e10c246d9a6c674518e66031fea5e17d23318ece2c5e9c67
cbbdd74333f2f2ebb9b1019d15b011b64594b1cf5651edbf8671d2a2bcab929c
efd69a0ac7b81d3d2fe4900b06a98066f2517e0d9364361d396e143d6f90d128
c0676910f1362864201df2da6fc69db6b679c8ba7fc0f66a2dc47c2236142bce
417c165a04979b22d52eeb3fda53a4b6a699f80c3fc89a69fd408ea0fbad16ac
a7a427b9b9f7ce1d847bce150139c546e43f61d49c637ee425d24f52803d47c8
f199e8a011ce9dc5c0e579358241f64e951ea530ff27052ebc41f09f1b6546b1
4c2d6b024e7af04fe1a42d5afad603b085bf37eff5f3a0b9d59a42b3c2828cc9
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd18b3110de0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTeslaV2
Create hunting rule
Author:ditekshen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:AgentTeslaV5
Create hunting rule
Author:ClaudioWayne
Description:AgentTeslaV5 infostealer payload
Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_GEN01
Create hunting rule
Author:ditekSHen
Description:Detect packed .NET executables. Mostly AgentTeslaV4.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Windows vault credential objects. Observed in infostealers
Rule name:malware_Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Generic_Threat_779cf969
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_AgentTesla_ebf431a8
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fd18b3110de032bd03901bdac15cb00fcc17f2292fdd791e5c4072caf70facc8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/2727/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments