Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
07/07/2020, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
PI2010081650.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PI2010081650.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
PI2010081650.exe
-
Size
645KB
-
MD5
e4d311dd1b0e3fc5275285ae183677d5
-
SHA1
7cbb54d1cc976c3e5682a52cea89b7b98837f920
-
SHA256
d96fb3fa5c309d3ec542c767d220336399ba763a0509b75fd08fc5fbffc7b2ff
-
SHA512
f37129f3cfa242f00f3f106ca0db7abd530bdf1192ba358a210ad75e835014f77323e7f31e9a804d124eaa0e8e6c25dd6a5234fe2d11429569f71be5a8063dc1
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
success21
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
success21
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
resource yara_rule behavioral2/memory/3412-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3412-1-0x000000000044692E-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3056 set thread context of 3412 3056 PI2010081650.exe 68 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3056 PI2010081650.exe 3056 PI2010081650.exe 3412 MSBuild.exe 3412 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3056 PI2010081650.exe Token: SeDebugPrivilege 3412 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3056 wrote to memory of 3948 3056 PI2010081650.exe 67 PID 3056 wrote to memory of 3948 3056 PI2010081650.exe 67 PID 3056 wrote to memory of 3948 3056 PI2010081650.exe 67 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68 PID 3056 wrote to memory of 3412 3056 PI2010081650.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI2010081650.exe"C:\Users\Admin\AppData\Local\Temp\PI2010081650.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵PID:3948
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-