Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2023, 16:38
Behavioral task
behavioral1
Sample
QUOTATIONNOVQTRFA00541PDF.scr.exe
Resource
win7-20231201-en
8 signatures
150 seconds
General
-
Target
QUOTATIONNOVQTRFA00541PDF.scr.exe
-
Size
974KB
-
MD5
83999a2ce0109ea4adbecb3a96744e8c
-
SHA1
4b94f4b23b157c7ae2df54e251cd4d22c683134d
-
SHA256
5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab
-
SHA512
f4dfe9396a978d942cc5e8857549da838b17099f57a9fa4fc53761ee06bcff37f4100b263fdccff9565de3db40eb9c71694618433d64d41e66d8765a131328ae
-
SSDEEP
12288:W2BNuP+2ess0NdGRs5N4r8Zjw/KpBf2fLkzGHH1tfU7:J2JAk15N4r+8C72PfU
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
gator3220.hostgator.com - Port:
587 - Username:
[email protected] - Password:
28#75@ts76&&p!!@@
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
gator3220.hostgator.com - Port:
587 - Username:
[email protected] - Password:
28#75@ts76&&p!!@@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect PureLogs payload 1 IoCs
resource yara_rule behavioral2/memory/4536-0-0x0000000000070000-0x0000000000168000-memory.dmp family_purelogs -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4536 set thread context of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 396 AppLaunch.exe 396 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 396 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 396 AppLaunch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98 PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396
-