MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5de422507339d48b0e85504cdc1b962f9fec5cb2e636b16fb017b08fb2e107d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5de422507339d48b0e85504cdc1b962f9fec5cb2e636b16fb017b08fb2e107d3
SHA3-384 hash: bc235524fb33f9639195e7633134eb42ef2e9c2dc20490233855e98bfd7eea27278c68f92d8d2fdf48fa9b4212422f6a
SHA1 hash: 3042c96cbc0d736a0764f955db90b2fa425081d3
MD5 hash: bcb3e630e37548ef3bb6a57b5b70c889
humanhash: thirteen-utah-moon-carbon
File name:Remittance Advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:727'552 bytes
First seen:2020-12-18 18:48:21 UTC
Last seen:2020-12-18 20:39:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d498fcaaa649fc0fa5ec434bbabef3d (7 x SnakeKeylogger, 1 x BitRAT, 1 x AgentTesla)
ssdeep 12288:dTKeKZRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRF:dTRmi/x20ujVACEQgc
Threatray 75 similar samples on MalwareBazaar
TLSH 52F46DF4A153E04FDC30887DC211C6A1A956AD35875D62E5F1E0FA0E067BDC09AAE7E3
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance_Advice.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 14:48:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/629297f7-5d5e-400d-9d86-81b0ff705f10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108486/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.60878.18062.20459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Unauthorized injection to a recently created process
Creating a window
Launching a process
Sending a UDP request
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/566585
Signature
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332376 Sample: Remittance Advice.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 84 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 4 other signatures 2->49 8 Remittance Advice.exe 3 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 8->27 dropped 29 C:\...\0817bca10fc943b89df569d67e596b48.xml, XML 8->29 dropped 51 Maps a DLL or memory area into another process 8->51 12 Remittance Advice.exe 2 12 8->12         started        14 cmd.exe 1 8->14         started        signatures5 process6 process7 16 iexplore.exe 1 56 12->16         started        18 conhost.exe 14->18         started        20 schtasks.exe 1 14->20         started        process8 22 iexplore.exe 31 16->22         started        25 iexplore.exe 67 16->25         started        dnsIp9 31 avatars3.githubusercontent.com 22->31 33 avatars1.githubusercontent.com 22->33 35 140.82.121.3, 443, 49771, 49772 GITHUBUS United States 22->35 37 avatars3.githubusercontent.com 25->37 39 avatars1.githubusercontent.com 25->39 41 2 other IPs or domains 25->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5de422507339d48b0e85504cdc1b962f9fec5cb2e636b16fb017b08fb2e107d3/
Threat name:
Win32.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 16:13:26 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
24 of 28 (85.71%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lxsceudthhkiwdufkbgnyg4wf6p6yxfs4y3lc35qc6yi7mxba7jq._file
Verdict:
unknown
Similar samples:
3faafeae03cf24f47b90a17040357b6b130ec8daf8d39a3410be86dbd767a541
AgentTesla
4b4ce2070aa958e7431643fc10c4b96ca8612747a2d5e0bf23ae31013ed71b59
AgentTesla
4d302b4fd8564f5e3f9b505c0f342ec0e133fca6e5d0c6b3bd89746351561c5b
AgentTesla
55e7e1cd5e151e8f67b08a11555dc9020318e9924219192f84cd1d5a032b9ee2
AgentTesla
9e5ae90f75fe48362b66a1c79246d519a2a96adbb68b03c0ed53ec6db93143c5
AgentTesla
ba427f33bcbc3f27a2bcecf21c044e115985dd0a43dbc66a7c0170854b44e39b
AgentTesla
bf60e55ec0adb6a2be7a8009c201aecbb074beecd22458bf19ff12f5d5acbb9b
AgentTesla
cdfc1600f7f5656fb2b72fd10da44b8f7e12f4c40027a4338251e5d7e9f0e743
AgentTesla
d6a2dd4ed732f43100bcf66aa1bbef9442c4ed975d943ee81c99c3fa4932d91c
AgentTesla
e3be5f2b9bd4b6b4847cabb927de8818ffb29e3544dc667f9962c31c92bd87e7
AgentTesla
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-7ger4dm5ys/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5de422507339d48b0e85504cdc1b962f9fec5cb2e636b16fb017b08fb2e107d3
MD5 hash:
bcb3e630e37548ef3bb6a57b5b70c889
SHA1 hash:
3042c96cbc0d736a0764f955db90b2fa425081d3
Link:
https://www.unpac.me/results/69eeedd0-88fc-4472-aec8-a3c6b3121524/
SH256 hash:
f0211e8781298a2e49374b3ec7e974a4284fc81ee973f20048878f7eee5bbd3c
MD5 hash:
f146f8886a46ac780f8d2bbe523b33e5
SHA1 hash:
eed0314eb61643274550346b13efbcc0ee7cafd9
Link:
https://www.unpac.me/results/69eeedd0-88fc-4472-aec8-a3c6b3121524/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5de422507339d48b0e85504cdc1b962f9fec5cb2e636b16fb017b08fb2e107d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/108486/

Comments