Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Invoice copy.vbs

windows7-x64

10

Invoice copy.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoice copy.gz

  • Size

    27KB

  • Sample

    230213-l3yn5abh3x

  • MD5

    e3fbbd358ba94c81d8a98bf0094e0b5f

  • SHA1

    f01141d49bc22de7b53c2f102d8258eba92b7bf0

  • SHA256

    1fdf68f0dfeebac092002cb137bd0712530486d57ee2a919bc690bc65a70430c

  • SHA512

    b636fd7e342aacf35097ee2d2fa2608e201e590c93492eeb1217b4fd712226030ac41adfd46c979ced886075df0c99865ebab0e625653a9e9095da2ac23f49d8

  • SSDEEP

    768:lRvNEiubRe0pVh+2XsAOwYLknXufwpYlZwEk:rvrubRekk28AOpLQX8wqlZA

Score
10/10
agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://megookbpnq.cf/jernha.dsp

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Targets

    • Target

      Invoice copy.vbs

    • Size

      51KB

    • MD5

      f3a9804fd02a79f03baa34c927567847

    • SHA1

      61ddc401e537e878b3a0f67c7877ae4c953fafcb

    • SHA256

      a2d2cada1b167fcf06ac9a85fb47a71738187152544484b5d280a523adb93d1c

    • SHA512

      4909feda912a9e9a0349eeef3f711623c2bb536f23d2ca4d28a15c3d21326f036b8077c19de34ab92c509d3fccea53930f4425747590233b947f217f9a0d6f5c

    • SSDEEP

      768:P5MV9DybrUJAhATljcJBgYspgasqSQmepk1+R5SK:P4GhhA5jqI+aWQdT

    Score
    10/10
    agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks