Multi-License Discount Quote

Change Region

English
Threat Database Keyloggers Keylogger.AgentTesla

Keylogger.AgentTesla

By CagedTech in Keyloggers

Threat Scorecard

Popularity Rank: 8,163
Threat Level: 80 % (High)
Infected Computers: 15,343
First Seen: August 22, 2018
Last Seen: January 31, 2026
OS(es) Affected: Windows

SpyHunter Detects & Remove Keylogger.AgentTesla

File System Details

Keylogger.AgentTesla may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. win32.agenttesla.exe 2b294b3499d1cce794badffc959b7618 5
2. file.exe aaf83fe476d0febd53fd439eac449525 1
3. b729ae54c04effb46f21de4f7eaac114 b729ae54c04effb46f21de4f7eaac114 0
More files

Analysis Report

General information

Family Name: Keylogger.AgentTesla
Signature status: No Signature

Known Samples

MD5: df000f2d0b8650aeadc73ffe479d807a
SHA1: 936af3b30f9018451ffb7d744d981d82f5dff5ee
File Size: 5.12 KB, 5120 bytes
MD5: 6468d552db2ac36b4727869ccb00d444
SHA1: db66a7280ca8154671e129d474580820825f33de
File Size: 7.68 KB, 7680 bytes
MD5: 4486dfc0301d019b4ddd9e0725eadfae
SHA1: 3e359d47e3444256e05f57a2fda325aa42c558cb
File Size: 9.22 KB, 9216 bytes
MD5: e0981b5536e80704fa5951613a8c0437
SHA1: 1131909c0837d3bbfef0138c7e902706cb17a6c8
File Size: 5.12 KB, 5120 bytes
MD5: 4da1dbdc1ed888a75a8ce77b7de61e72
SHA1: 055f5f46e9ed815e240bcbc804beb076b8d2e945
File Size: 6.14 KB, 6144 bytes
Show More
MD5: 9812908a20dc7f8b05589e93b60e375c
SHA1: 708422f4be6ce11a3d1f918aaccca24fe7518deb
File Size: 5.12 KB, 5120 bytes
MD5: 0210e1c6687f09ad29976dd644b9f36b
SHA1: cd20379adb21163a769fc3bc4969d6c6e73d59f6
File Size: 5.12 KB, 5120 bytes
MD5: 3aa783001332b150ae98721ce0a8662a
SHA1: cfdf5673e0db0a66121c8690bbd431faf153ebac
File Size: 5.63 KB, 5632 bytes
MD5: 65d957fe1bd35949d73cd7ac9772aa58
SHA1: 54733ad9cdc856ad44e11bc2b23fcf883fc1cab3
SHA256: A9C656692E9AE4ED3687BB2F9BA66162F737E24121A60AB86533458814111665
File Size: 6.10 KB, 6104 bytes
MD5: c9d889b9142dd88cbfd17cf38831df80
SHA1: 6dcf331347c134b616c0196d667aa2f01518b989
SHA256: D86CF9200590DAD14E4AA3C66FBF00B371E1A8C919E9C373F27DCF1C95328FF2
File Size: 5.12 KB, 5120 bytes
MD5: ddb3d9ef7542379fc6c21c572848c542
SHA1: 3f5867578bf230ae41c5388713ddcf7e04068a1d
SHA256: 1D94D23427D58B99B4681E1AE69DA5D344DDCD706C4B8124C0E7C807C25A1062
File Size: 5.12 KB, 5120 bytes
MD5: 2fbbb986532413cb725dc67091d0d1f7
SHA1: a86490cb0128f890a259efaf3fc511d0bf517250
SHA256: F925059AF5AAA14493057D2CFD816F9A89BA636297E922F8745746DA16896261
File Size: 5.12 KB, 5120 bytes
MD5: 13a18b8233876048c4ba20e9cdb3feda
SHA1: 903bb873f6ce42a78068c590f4a95a326cccb848
SHA256: 7DD0B5C59432F910B606EFE7859515A1C86446E4C653D6338EFD1656DCC6E736
File Size: 10.75 KB, 10752 bytes
MD5: 8d014a2bdfd8546dda3c451cd195ea18
SHA1: 4e3bc52d469133dbe176b636ce157803de3a5612
SHA256: 870E5259D0D4E716941090BC6BAD399A5BFE6635C9F16B5306CDD91DE8B45F80
File Size: 5.12 KB, 5120 bytes
MD5: 003d14c33aac7e8d53a262ec5b9862bc
SHA1: 10248a0bd3aa989a72187969532f4597a9b6a572
SHA256: 9D6AF2C0572A2FC766FFD941899E158BED78097014F4F30B3D4F31DF3FE047A4
File Size: 9.22 KB, 9216 bytes
MD5: 7b92834667b865bf62fa8b19be3f1c07
SHA1: cc45c1438f4b0623ea3f8aafe18a8a56025058fc
SHA256: B77F6998FB1022EC2BA4967344234135FF54DDA6BBF19A3D99DDF219A27C030D
File Size: 5.12 KB, 5120 bytes
MD5: e7349050d70f0dd6adff8a6a40d696a8
SHA1: f31500906faa206ae17e6dddf98838ceaa0208bc
SHA256: 03316A3074BD69CBD86E0327597983EFD14556A333F8AC6B2B07C0E0467CB1C3
File Size: 5.63 KB, 5632 bytes
MD5: 5128005f6b81dc7701efc43fd5ad36ff
SHA1: 77746d3f2cadce1789c36e7b96c3d0f3fe94da95
SHA256: 2567935E2414DE4992C477EA63839A26CBBCBE30CBB41E9F0F8554CC8483EBB9
File Size: 9.22 KB, 9216 bytes
MD5: 4cb09be28078d31c76a812c8be753868
SHA1: efc0875aaccc19dea052d04b967eb87b4ff97984
SHA256: 789928E8083A7BF518CFD1AE79895B29AC6B9B32A6E6386124D3BB85835C167E
File Size: 9.22 KB, 9216 bytes
MD5: 5de8d37bc7731857e8ab859ae5403046
SHA1: 7aba80caf0118e471b35983beb307cfd20e1a67c
SHA256: 4EABE800B3D4142C041C2A1630987B886EED03B054DD18291A7DED016CB7328F
File Size: 5.12 KB, 5120 bytes
MD5: 4d7a8b31621716a00193041d881c326f
SHA1: 3b323e3986a92a1c1ab9faa9110af0923bab3a46
SHA256: 7C749D02D5A80E88F177B2560D9211C274364597880DE7ED3C690B55F06048FB
File Size: 5.12 KB, 5120 bytes
MD5: 138832a930889de7e01cfb23b8834fee
SHA1: a3431fdd2e0c1f14d7fc1f0dd34a991926de05b4
SHA256: B56CC909B21B28DBF8E8520AC86B2DB7A5688BBE0DECE5AF9B1A8F24D9E69B41
File Size: 5.12 KB, 5120 bytes
MD5: 050b97e8468e752a843be64a5c729a15
SHA1: c195e7831176d91170a5cc8ff716562d1fbecda5
SHA256: 62234585EB2026BF7A3EF785B2CF1BD0FE78CE637F2766A92E48589B04109FBF
File Size: 7.68 KB, 7680 bytes
MD5: ebd1e206d1e731c8c14563fa53439420
SHA1: 8d033a9dba6cfc07039565052d136c0f6ec276ec
SHA256: D4871A7E5AEABE70F48D7FEFFEEDD2F5EA20BE332111886B07E37EC36F5D9D05
File Size: 20.99 KB, 20992 bytes
MD5: a7e0862bb9477773a830e12e15a17f28
SHA1: 62fff1dc80536e96439aa3304f8e05644d1a12db
SHA256: E75F202F8EC18ACD8D3D5887D9C690F7FA84F1FAD98858E1B5A2207BC064894A
File Size: 5.12 KB, 5120 bytes
MD5: 99c492d81cba60cd11e6685be6fa1955
SHA1: ecc9c1b307e8cb244a50044c4e636e2e5148cebd
SHA256: 69A5A52C3FC3F4EE6C7E1533E7E69297455A543A1B3646D3FE2D13637508F765
File Size: 6.66 KB, 6656 bytes
MD5: 2c010f0ab5817c9e88909f304e386709
SHA1: 135de057cd2d693225dc469089863841266722f4
SHA256: 3910AE9CA32BF3278457CA23B846F09D4D49A2D835B58E7A0C92DA838F43EBB1
File Size: 10.75 KB, 10752 bytes
MD5: 6181ef677df8b47777b331623ae79d21
SHA1: 8339ba0a7bce1fd3e40ef2e15674224424ec0820
SHA256: 24448FE142A0516827BF7AE878C2256C1194E4050EB54A9FB89CB3F66DF7B40A
File Size: 5.63 KB, 5632 bytes
MD5: b934179f427f623d578c91125201e5dd
SHA1: 275632cf46ec62defa874585e3da27b795f0d42d
SHA256: 3421EA6E8AEA6593AF1850369879247F2FCF23205675860D04C157A8907E00C8
File Size: 1.49 MB, 1485824 bytes
MD5: d28b45693d398a042a4003d5b27fa739
SHA1: c9a1425d4a269a67e6eef73c2c647df949da76bf
SHA256: 739E69D048DA6D3A84418F428F0C6E23C4A7995AAEB9C65C1706CA661A433436
File Size: 6.14 KB, 6144 bytes
MD5: 8e124f4b614c0eb676b6517f1d8b4308
SHA1: 99078e7bc18ae37c165a5037036eb06fb4cfbb64
SHA256: 19A042A541439CE6B12FFB970C4AD19698CA4361E86AB3865699BBC05D800AB4
File Size: 9.73 KB, 9728 bytes
MD5: 1292ad596449bd331d12f847afc3baf0
SHA1: e00710bcb344d276535e573ee866de5a51f623e4
SHA256: 4E144722467072A0BE5AECA66FA4A590FD77DB93921FCDF07AF00448F09EB4B1
File Size: 5.63 KB, 5632 bytes
MD5: 99c480da93d74eec959f62ef7aeb38d6
SHA1: 1e73d658c4f88406d3352cb5112ceeba081e3487
SHA256: EAE18F5BA61A1B212B1A45838612B965FECBF206C2AF1E852F7A619047FF99D2
File Size: 9.73 KB, 9728 bytes
MD5: 6ed295779981350e04be985348e46e42
SHA1: c0d66c72e769bb15b94bcd70db544f47ee490c7a
SHA256: CC6991679BABFFAE06D25766B14540CC1CC2598BA512184BE136C79C8167697D
File Size: 7.17 KB, 7168 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Company Name
  • HP
  • HP Inc.
File Description
  • ConsoleApp1
  • GnbotsGameInstaller
File Version 1.0.0.0
Internal Name
  • ConsoleApp1.exe
  • GnbotsGameInstaller.exe
Legal Copyright
  • Copyright © 2019
  • Copyright © 2020
  • Copyright © 2021
  • Copyright © 2022
  • Copyright © 2023
  • Copyright © 2024
  • Copyright © 2025
  • Copyright © HP 2024
  • Copyright © HP 2025
  • Copyright © HP Inc. 2018
Show More
  • Copyright © HP Inc. 2023
Original Filename
  • ConsoleApp1.exe
  • GnbotsGameInstaller.exe
Product Name
  • ConsoleApp1
  • GnbotsGameInstaller
Product Version 1.0.0.0

Digital Signatures

Signer Root Status
DESKTOP-QLR3C5D\MEBS DESKTOP-QLR3C5D\MEBS Self Signed

File Traits

  • .NET
  • Confuser
  • Installer Version
  • x64
  • x86

Block Information

Total Blocks: 2
Potentially Malicious Blocks: 0
Whitelisted Blocks: 0
Unknown Blocks: 2

Visual Map

? ?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Eorezo.EB
  • MSIL.Agent.FSDA
  • MSIL.AgentTesla.NA
  • MSIL.Brute.GF
  • MSIL.Bulz.RL
Show More
  • MSIL.ClipBanker.RAG
  • MSIL.Downloader.RRA
  • MSIL.Heracles.RH
  • MSIL.Inject.CCA
  • MSIL.Injector.XT
  • MSIL.Krypt.GDSC
  • MSIL.Krypt.GDSF
  • MSIL.Krypt.GDSG
  • MSIL.Krypt.GHFC
  • MSIL.Krypt.TDJ
  • MSILZilla.HB
  • Wacatac.AR

Files Modified

File Attributes
c:\users\user\downloads\example.txt Generic Write,Read Attributes
c:\users\user\downloads\test.zip Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock2
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • setsockopt
Network Winhttp
  • WinHttpOpen
Encryption Used
  • BCryptOpenAlgorithmProvider
Syscall Use
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • UNKNOWN

Trending

Most Viewed

Loading...