Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
11c15539131...b2.exe
windows7-x64
101c15539131...b2.exe
windows10-1703-x64
101c15539131...b2.exe
windows10-2004-x64
10FedEx EL18...00.exe
windows7-x64
10FedEx EL18...00.exe
windows10-1703-x64
10FedEx EL18...00.exe
windows10-2004-x64
10HSBC_Swift...df.exe
windows7-x64
10HSBC_Swift...df.exe
windows10-1703-x64
10HSBC_Swift...df.exe
windows10-2004-x64
10Halkbank_E...68.exe
windows7-x64
10Halkbank_E...68.exe
windows10-1703-x64
10Halkbank_E...68.exe
windows10-2004-x64
10SecuriteIn...75.exe
windows7-x64
10SecuriteIn...75.exe
windows10-1703-x64
10SecuriteIn...75.exe
windows10-2004-x64
10epTZLp5PyVs2lsz.exe
windows7-x64
10epTZLp5PyVs2lsz.exe
windows10-1703-x64
10epTZLp5PyVs2lsz.exe
windows10-2004-x64
10f227b51c63...cc.exe
windows7-x64
10f227b51c63...cc.exe
windows10-1703-x64
10f227b51c63...cc.exe
windows10-2004-x64
10f2335865a4...a3.exe
windows7-x64
10f2335865a4...a3.exe
windows10-1703-x64
10f2335865a4...a3.exe
windows10-2004-x64
10General
-
Target
agent-tesla.zip
-
Size
4.9MB
-
Sample
221227-rxfh9afa52
-
MD5
b82253158fa3650108349b826ecb840b
-
SHA1
3c7494f01ee4d6f30fdfe07627ed5ba79dea325e
-
SHA256
01b10e69f2bf67fdd929c4cb584dd248a71ad447eb460787f9e2ba34129ac4c3
-
SHA512
566820251c749753f3abc7c5f3e853338b16c3db600f153dbbf1a59a49eb10e893d3b7c6012204793df34821d479a71d16e74e3b49e77666102bb8c8c6dc4657
-
SSDEEP
98304:mOUfHc0qEAcAD7utsfWtgtQhIUIz/YF4OXirF2zf0dCuJhlKCr1Jf3kZn19Y1fqA:EfvFAcmuda7/YOnFy0LlK+0xq
Static task
static1
Behavioral task
behavioral1
Sample
1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2.exe
Resource
win10-20220901-en
Behavioral task
behavioral3
Sample
1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral4
Sample
FedEx EL1870335D online Customer AWB Shipping Advisory AWB Docs.Commercial Invoice. Packing List. Bill of Landing CMS00.exe
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
FedEx EL1870335D online Customer AWB Shipping Advisory AWB Docs.Commercial Invoice. Packing List. Bill of Landing CMS00.exe
Resource
win10-20220901-en
Behavioral task
behavioral6
Sample
FedEx EL1870335D online Customer AWB Shipping Advisory AWB Docs.Commercial Invoice. Packing List. Bill of Landing CMS00.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
HSBC_Swift_Copy.pdf.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
HSBC_Swift_Copy.pdf.exe
Resource
win10-20220812-en
Behavioral task
behavioral9
Sample
HSBC_Swift_Copy.pdf.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral10
Sample
Halkbank_Ekstre_20221222_114527_468568.exe
Resource
win7-20221111-en
Behavioral task
behavioral11
Sample
Halkbank_Ekstre_20221222_114527_468568.exe
Resource
win10-20220812-en
Behavioral task
behavioral12
Sample
Halkbank_Ekstre_20221222_114527_468568.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
SecuriteInfo.com.Win64.RATX-gen.30948.8275.exe
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
SecuriteInfo.com.Win64.RATX-gen.30948.8275.exe
Resource
win10-20220901-en
Behavioral task
behavioral15
Sample
SecuriteInfo.com.Win64.RATX-gen.30948.8275.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral16
Sample
epTZLp5PyVs2lsz.exe
Resource
win7-20221111-en
Behavioral task
behavioral17
Sample
epTZLp5PyVs2lsz.exe
Resource
win10-20220812-en
Behavioral task
behavioral18
Sample
epTZLp5PyVs2lsz.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc.exe
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc.exe
Resource
win10-20220901-en
Behavioral task
behavioral21
Sample
f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral22
Sample
f2335865a426507b47ecf5e37dcae9a3.exe
Resource
win7-20221111-en
Behavioral task
behavioral23
Sample
f2335865a426507b47ecf5e37dcae9a3.exe
Resource
win10-20220812-en
Behavioral task
behavioral24
Sample
f2335865a426507b47ecf5e37dcae9a3.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5618720367:AAFqeS2K5cBYFRaIBpS6oi_RaSYSI0_A__w/
https://api.telegram.org/bot5932499274:AAFVgY_mSAbCu0fXfBWMuUmyk56JtTf6--Q/
https://api.telegram.org/bot5934477911:AAFE-T4zPYFg9j3dne3DNo28zBQV6eiIuEY/
Targets
-
-
Target
1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2.exe
-
Size
1.0MB
-
MD5
1a5e881a5197cdee0fd2be1af368198a
-
SHA1
3ff94ebf7ed66aadafa66b28f01f3a4beeadb98c
-
SHA256
1c15539131a4b7a2864bf1cc5744ea213fce23e8b643d2cd00f0a242f4e775b2
-
SHA512
8c75be3273a8d8b1043e3e4e2034cd00a8bb33c404ae2441619e16113b24723159a46a6fce4526ae31040e1bd3ee7368340ad7bbbb2fe4d0c9d15d78fdc4ffb2
-
SSDEEP
12288:attzg2iNNvemxU2Uy49rF+mu3bk0RqV4Ef3JdselFDnw7Vu:QBg1vxUWcIrk0Rqf3Jd1FLIV
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
FedEx EL1870335D online Customer AWB Shipping Advisory AWB Docs.Commercial Invoice. Packing List. Bill of Landing CMS00.exe
-
Size
883KB
-
MD5
72c4749f756b5b7341ef425d769d6c74
-
SHA1
ba3b0faf467c1db173c9aaf37bf69ccb30759ecb
-
SHA256
a6339dda7fc718e5a77bb3736d1c87e6a8fbc14827525307b3e8f184f02afd48
-
SHA512
e7b31a35f9d80b4eba17c49f875dfa32d6a6d786bbe3db22de272f6c99eb7aef8d8936d90e82cac7c7da58c34d43fd82a5374544fba5b95c3866287fe642f295
-
SSDEEP
24576:O1VT1rXpNTgDDQmBMjerErCQtUcCMuy1HzgcK3vJc:OvNTWM4lgAcCMZzgcK3vu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
HSBC_Swift_Copy.pdf.exe
-
Size
1001KB
-
MD5
ce3718f0a5cd81530496e4724857b0cb
-
SHA1
17aca36e82674bd55a48684acc4eef6cd02696b1
-
SHA256
980572025579ff98c1ab84aa8c0c045e075d174bc5bb166e2694590c98f90a54
-
SHA512
6f30e90a5b9412a24f9513690cfca60c57f2e615604a12ddb7e355bd80894b7f3a37d8242813c76484a258db588c3df25f193a556284c3408d98c92ae814f724
-
SSDEEP
12288:bZ+2iN1/Sr+pGrnU9xmh873NdbE9QJKQZdF+LHZnbNFphh26mdOAH8c+9epf+mDG:Q1e+gnU9cOrjEw5Zupbxhh26mlH80q
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
Halkbank_Ekstre_20221222_114527_468568.exe
-
Size
497KB
-
MD5
447d145276eef872ff7ff17aece82184
-
SHA1
770464513653a17210806339a7bd5f51a761f355
-
SHA256
a4e9eafd0bfcb5db60683b2c37e4a113087a656408b96e2795f94af8aecc20b2
-
SHA512
cfeee165c61a2a62f13611d7cad57c8bdc9ebe441718953394cf3e200398a5ebb71ffaf7cc427981105f65c3e6fe23d021d32713ce70a76c80e9296fb3572fbf
-
SSDEEP
6144:ckwKLoJOtJrEx6csI6PVmWVc9fXEna+sSJSYRf7P1cZGllQYbT:7LosV0/3WVc98a+bJLf7PeZG7/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
SecuriteInfo.com.Win64.RATX-gen.30948.8275.exe
-
Size
1.1MB
-
MD5
ff463709d7e429065e6efeb1456281a5
-
SHA1
43821ebc1f3f3e1b7208314747fdf8527263f363
-
SHA256
6f05a91cd30498cf1bc9b2e0058f1e3caa18b401b77d0a83b71a6df845430716
-
SHA512
990efaf520e2bfcf2a42b491e67b9266380d966439e132c40ad0eba28ae9ebaf6448bb538128a38e851be6a6660b04451c75138139e1371ac104540564a07dcd
-
SSDEEP
12288:SNP57i9RD++rs7j5Dytl7B1ljdOtovwGPVp/n2sS4OIvlxd2UIivOmBgdUYt9flG:Xh7XfPCsS41hbjSCC5Gm6oG+/c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
epTZLp5PyVs2lsz.exe
-
Size
1.0MB
-
MD5
e74df11dc99580800c2ab75798fd0e25
-
SHA1
2b7914bd316d5d22a122d0263acca82e4152532b
-
SHA256
54080957647575cffb4a2575baac7edf65a4a8d3faac7b133246bae3a1bdb3b9
-
SHA512
962cf59714314e2f71c9fc45dc9c5940ed678ce25e6a6c33da29f15bc6893e6e0850af25533a6cf067fcfd6d9087de676a710d5a83db18db5f065fe024afe604
-
SSDEEP
24576:5LZLn1GvvokU/em1X4QaZDQi3/NMSwW8NlK:5tLnU3DU/d9YZDQQNiZzK
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc.exe
-
Size
1014KB
-
MD5
26c27aabc7f503c9c77f004f4b909c2b
-
SHA1
c01b1e1eb7a532539b8626409eec93c5f7e86243
-
SHA256
f227b51c6347b3acf53b8e54e84864c2c3e4ef973226bc517f0f9852dbc1bfcc
-
SHA512
0182a98ab6dfec078f24a20972e42d652f8a8acc2ae707aea63c0b30dea97618843affee13de2e8bc772d9d38efd54dc219c7cdceaf2309482381b165e03259f
-
SSDEEP
12288:Wd4l68YdxM7KcQF8SYyKQiQGarSYSODjyVKSqmtDUHILYacpf+mDXttarruVBDUt:448888KcM86viiLz8KSqeDUHILY9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
f2335865a426507b47ecf5e37dcae9a3.exe
-
Size
860KB
-
MD5
f2335865a426507b47ecf5e37dcae9a3
-
SHA1
7ccf56c9c48ffc911ac80ddf5240a42c99f83e33
-
SHA256
57901cf97d0ab4c57f8b4927c75bd8761182b5ddb80d09bb917aab71ae68d7c6
-
SHA512
67fd0fb2b872446957c570fb3418ee41363b8b0a6362819c36cef81454acadb2892e31dab2f7760a2f848c92b2b61b8ad5012a6781281f6cb009815c9424e208
-
SSDEEP
24576:EsFdELpCybniAU6cH80ru/71mnMOrYH1ocO:FFdELpCybniAU6Gu/71mndM1jO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-