Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JKL-764-JP...CR.exe

windows7-x64

10

JKL-764-JP...CR.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Lancetter/...pi.dll

windows7-x64

1

Lancetter/...pi.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JKL-764-JPL-93873637BNSS.SCR.exe

  • Size

    622KB

  • Sample

    240129-r4qb2adfap

  • MD5

    136665ccdc5a00ac893337ca535a9b00

  • SHA1

    b711f4996e91585fb28ea367613ae8994bb9dd84

  • SHA256

    b47914d632508339a012e07cc4030b35b25a78665513276c26496affefd01b90

  • SHA512

    b6dd243ddd19ef2f1e3640e58b99ef5f89f8a6e35cd064eb7edc6a2e11b071dcf15c3bcf8d0ea298acc00fac44d7d098c6519c05a785ba3d7da5a2459afd169c

  • SSDEEP

    12288:jhNMKBSfLJ0/OXH3T42AqwYVi8oin1f3EnYb3xl4mrofsMWFsyS:jhaRfKYXTjDVhoA1fPrTMZyS

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      JKL-764-JPL-93873637BNSS.SCR.exe

    • Size

      622KB

    • MD5

      136665ccdc5a00ac893337ca535a9b00

    • SHA1

      b711f4996e91585fb28ea367613ae8994bb9dd84

    • SHA256

      b47914d632508339a012e07cc4030b35b25a78665513276c26496affefd01b90

    • SHA512

      b6dd243ddd19ef2f1e3640e58b99ef5f89f8a6e35cd064eb7edc6a2e11b071dcf15c3bcf8d0ea298acc00fac44d7d098c6519c05a785ba3d7da5a2459afd169c

    • SSDEEP

      12288:jhNMKBSfLJ0/OXH3T42AqwYVi8oin1f3EnYb3xl4mrofsMWFsyS:jhaRfKYXTjDVhoA1fPrTMZyS

    Score
    10/10
    agentteslakeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    behavioral3behavioral4

    • Target

      Lancetter/Milieubeskyttelsesreglementer/wcapi.dll

    • Size

      396KB

    • MD5

      062434166c64d50b84518692be7e78dc

    • SHA1

      86b24ae2fd5c7f396d2b920a113020dcd9ae4754

    • SHA256

      5af5384cb1f83bab386ddf98e6b57639e896265008438a2730e17b93e65577e5

    • SHA512

      bf85f59095f828e97a544ba0a1e348c03f5f27e59eb3e3f3d602922152a08f0848e27782db73594622f72510862780ac6898747002e8371cd2494f65c65c3d38

    • SSDEEP

      6144:cfn5v+crgiX1sibsPdIqBaGTa/BIWZNGBmLbrTIdkDkwZYfQlYnx:a+crgmfbsFBaoGYfh

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks