Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

16/12/2022, 08:37

221216-kjcrwaed77 10

16/12/2022, 08:22

221216-j92cgshb8y 10

General

  • Target

    Scan20221216192254.exe

  • Size

    1.4MB

  • Sample

    221216-kjcrwaed77

  • MD5

    876f5f878fc3f716cd877443ee68f7e3

  • SHA1

    35a223eadf77e713de0f6a7951fdb32ec5a48973

  • SHA256

    dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

  • SHA512

    3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

  • SSDEEP

    12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW

Malware Config

Extracted

Family

remcos

Botnet

ThirdClients

C2

79.134.225.97:1558

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    appsync.exe

  • copy_folder

    Appsync

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Appsync

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Appsync-00ARH2

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Appsync

  • take_screenshot_option

    true

  • take_screenshot_time

    55

  • take_screenshot_title

    mail;webmail;crypto;btc;ethereum;bitcoin;eth;outlook;foxmail;bank;email;compose;

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5169304639:AAEuGpfCL-hv_A-RdB_r9uRMHt_yvJZb2Z8/

Targets

    • Target

      Scan20221216192254.exe

    • Size

      1.4MB

    • MD5

      876f5f878fc3f716cd877443ee68f7e3

    • SHA1

      35a223eadf77e713de0f6a7951fdb32ec5a48973

    • SHA256

      dfa31b84bc2fc462da90b7f1a13c30ef92965ceeb06db45879a5443ea0d99920

    • SHA512

      3bc2f3a97613d054261086d0c1e83dab9237717142ac7d3ffe91ca5e918f73f0cf57b53e86aa1b4170c5bc4794c661fd079217d9e8150f7a942dde4e43dc6e83

    • SSDEEP

      12288:OixF+mYOpvTDg1Hoz+JE2QsO4BeylBqN6hFfX05M1pDUQDoC+v5c+JQZ24146/PQ:rCEHsOzj4j85M1hUQDAxzJX4vgkW

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks