Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

RFQ_MD662H...37.exe

windows7_x64

10

RFQ_MD662H...37.exe

windows10_x64

3

Analysis

  • max time kernel
    86s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09/07/2020, 14:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_MD662H_PO-783837.exe

  • Size

    589KB

  • MD5

    f607f0ce8f8d6b58da6e8fe681bb8674

  • SHA1

    fbe64f8fc5795dc7b0ea7551e0900f799ac16d27

  • SHA256

    60ecae13c61f3b052a60c0937095f8b485ab10be58502c6bfbf4bec59f4e35ed

  • SHA512

    6e96c369dccc9f8dd41948883aa8a98f7528bc112bb86eb2e60bd276d4b39980a999feaee63eb601352fcee67aae80f8cfccdb8747f0fb6a7bcec07340209a33

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.edgeict.com
  • Port:
    587
  • Username:
    sales@edgeict.com
  • Password:
    sales-1209

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_MD662H_PO-783837.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_MD662H_PO-783837.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\RFQ_MD662H_PO-783837.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/912-2-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/912-4-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/912-5-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.