Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

BANK SLIP ...55.exe

windows7-x64

10

BANK SLIP ...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2024, 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BANK SLIP AND INVOICE F8200336555.exe

  • Size

    641KB

  • MD5

    6a39ce8481e9d2d1a51bb14cd011e2c5

  • SHA1

    5c4325af5c6ed70f561acecba5372ca8a356a5e6

  • SHA256

    454c223132175b8b9660b5567e08ccc29bd7c9f101f7104c36efbf6893c90015

  • SHA512

    081239d69897cd721bee0973f4e711fe521b9fc5c009981d9da63e3a958dfdb8f61f66b5c1f98fb86a3a14c0843ba519752746d699d216c29167772fedc80388

  • SSDEEP

    12288:FcojLBJI38szx0XIZVdl57pF6vhWSoUBhmI2XkRu9TjHPS/0RsBPZmJ:XjruPWIXr1pFohvZ+Cu9C/0KRQ

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe
    "C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aCFhpb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCFhpb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp897B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe
      "C:\Users\Admin\AppData\Local\Temp\BANK SLIP AND INVOICE F8200336555.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp897B.tmp
    Filesize

    1KB

    MD5

    3b79c6c21b8a78850df10368df71abef

    SHA1

    cafd782fef7ae698693f1e94739741a3ed1618d5

    SHA256

    6ae3c78f289af15bae2af66d4015df3bfe986c9ff225e4e9f3df2f309d53bb05

    SHA512

    9d50851e7181f38aaf5961eb42750178b9cd9286355e16427cc97f778479ed0cd3556099120b5e43d08886efc35cde9c08f21d686acdc3203a2716fd808c95ba

    Download Submit

  • memory/1132-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-36-0x0000000000C40000-0x0000000000C80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1132-33-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1132-30-0x0000000000C40000-0x0000000000C80000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1132-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-37-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1132-14-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-16-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-18-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1132-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2476-6-0x00000000050F0000-0x000000000516A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2476-4-0x0000000000480000-0x0000000000488000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2476-0-0x0000000001290000-0x0000000001336000-memory.dmp

    Filesize

    664KB

    Download

  • memory/2476-5-0x0000000000490000-0x000000000049C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2476-28-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2476-1-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2476-2-0x00000000005E0000-0x0000000000620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2476-24-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2476-3-0x00000000003A0000-0x00000000003B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2648-32-0x0000000002690000-0x00000000026D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2648-34-0x000000006E170000-0x000000006E71B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2648-35-0x000000006E170000-0x000000006E71B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2648-31-0x0000000002690000-0x00000000026D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2648-29-0x000000006E170000-0x000000006E71B000-memory.dmp

    Filesize

    5.7MB

    Download