Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
07/07/2020, 10:03
General
-
Target
PI2010081650.exe
-
Size
645KB
-
MD5
e4d311dd1b0e3fc5275285ae183677d5
-
SHA1
7cbb54d1cc976c3e5682a52cea89b7b98837f920
-
SHA256
d96fb3fa5c309d3ec542c767d220336399ba763a0509b75fd08fc5fbffc7b2ff
-
SHA512
f37129f3cfa242f00f3f106ca0db7abd530bdf1192ba358a210ad75e835014f77323e7f31e9a804d124eaa0e8e6c25dd6a5234fe2d11429569f71be5a8063dc1
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
success21
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
success21
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI2010081650.exe"C:\Users\Admin\AppData\Local\Temp\PI2010081650.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB