Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

STATEMENT ...12.exe

windows7_x64

10

STATEMENT ...12.exe

windows10_x64

3

Analysis

  • max time kernel
    143s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    12/07/2020, 11:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    STATEMENT OF ACCOUNT - JULY 12.exe

  • Size

    391KB

  • MD5

    7e0f734c9add7e48862f0dbcf319901c

  • SHA1

    99b9640f0fe628b513ccba7e2a511b2667267359

  • SHA256

    8f74d4186885e919ba7b7c06562f9237691fd736feeb6222470f38b7efdcc532

  • SHA512

    b451c57bcb496657356f917eccba140b6d54edabf491c895ac804d815955abec547627e7e7cf4628b1cd6f10e289f84723187eb263024310d59dbb36d5fe1754

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.altrii.com
  • Port:
    587
  • Username:
    destiny@altrii.com
  • Password:
    wz(rDXZ9

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe
    "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe
      "{path}"
      2⤵
        PID:1848
      • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT - JULY 12.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1840

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1840-2-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1840-4-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1840-5-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.