Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ezLGJLXuftPIrq7.exe

windows7-x64

10

ezLGJLXuftPIrq7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    202s
  • max time network
    243s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2023, 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ezLGJLXuftPIrq7.exe

  • Size

    691KB

  • MD5

    d788efd7d57409172c894fb3c2d0400d

  • SHA1

    ad2e1e5cdf4475642a910130cc1d94b2012b6bec

  • SHA256

    3d19690074df0c98a4088e0ca1f69969af9a65b7b260b7b71ac77a9bb89df6e6

  • SHA512

    d1ad358958c0c34e6f73e392656a73e394989e726e44fb4cb6b587b2588b3a3a4db6bcadb547b89ed631875173489d5dc1dc35bfc04b22b8cf3f54b3f8e6e45c

  • SSDEEP

    12288:PcK0ZRQQlfhoErwEBmiP3fwK1fYM9OleMEKWJnFrS6Y:Pc3BlRwEBmiP3tfYM9bKmFOT

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6190932047:AAFAXC_q-J_1tPTmmiqndMdlZipgoGT2Ypo/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ezLGJLXuftPIrq7.exe
    "C:\Users\Admin\AppData\Local\Temp\ezLGJLXuftPIrq7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\ezLGJLXuftPIrq7.exe
      "C:\Users\Admin\AppData\Local\Temp\ezLGJLXuftPIrq7.exe"
      2⤵
        PID:3700
      • C:\Users\Admin\AppData\Local\Temp\ezLGJLXuftPIrq7.exe
        "C:\Users\Admin\AppData\Local\Temp\ezLGJLXuftPIrq7.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3524-140-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3524-146-0x00000000054F0000-0x0000000005500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3524-145-0x00000000072C0000-0x0000000007482000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3524-144-0x00000000070A0000-0x00000000070F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3524-143-0x00000000054F0000-0x0000000005500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3524-142-0x0000000005370000-0x00000000053D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4456-136-0x0000000004D60000-0x0000000004D6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4456-139-0x0000000007A70000-0x0000000007B0C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4456-138-0x0000000005040000-0x0000000005050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4456-137-0x0000000005040000-0x0000000005050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4456-133-0x0000000000300000-0x00000000003B4000-memory.dmp

      Filesize

      720KB

      Download

    • memory/4456-135-0x0000000004DD0000-0x0000000004E62000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4456-134-0x0000000005380000-0x0000000005924000-memory.dmp

      Filesize

      5.6MB

      Download