Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Invoice copy.gz
-
Size
27KB
-
Sample
230213-l3yn5abh3x
-
MD5
e3fbbd358ba94c81d8a98bf0094e0b5f
-
SHA1
f01141d49bc22de7b53c2f102d8258eba92b7bf0
-
SHA256
1fdf68f0dfeebac092002cb137bd0712530486d57ee2a919bc690bc65a70430c
-
SHA512
b636fd7e342aacf35097ee2d2fa2608e201e590c93492eeb1217b4fd712226030ac41adfd46c979ced886075df0c99865ebab0e625653a9e9095da2ac23f49d8
-
SSDEEP
768:lRvNEiubRe0pVh+2XsAOwYLknXufwpYlZwEk:rvrubRekk28AOpLQX8wqlZA
Static task
static1
Behavioral task
behavioral1
Sample
Invoice copy.vbs
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Invoice copy.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://megookbpnq.cf/jernha.dsp
Extracted
agenttesla
https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/
Targets
-
-
Target
Invoice copy.vbs
-
Size
51KB
-
MD5
f3a9804fd02a79f03baa34c927567847
-
SHA1
61ddc401e537e878b3a0f67c7877ae4c953fafcb
-
SHA256
a2d2cada1b167fcf06ac9a85fb47a71738187152544484b5d280a523adb93d1c
-
SHA512
4909feda912a9e9a0349eeef3f711623c2bb536f23d2ca4d28a15c3d21326f036b8077c19de34ab92c509d3fccea53930f4425747590233b947f217f9a0d6f5c
-
SSDEEP
768:P5MV9DybrUJAhATljcJBgYspgasqSQmepk1+R5SK:P4GhhA5jqI+aWQdT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-