Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
JKL-764-JPL-93873637BNSS.SCR.exe
-
Size
622KB
-
Sample
240129-r4qb2adfap
-
MD5
136665ccdc5a00ac893337ca535a9b00
-
SHA1
b711f4996e91585fb28ea367613ae8994bb9dd84
-
SHA256
b47914d632508339a012e07cc4030b35b25a78665513276c26496affefd01b90
-
SHA512
b6dd243ddd19ef2f1e3640e58b99ef5f89f8a6e35cd064eb7edc6a2e11b071dcf15c3bcf8d0ea298acc00fac44d7d098c6519c05a785ba3d7da5a2459afd169c
-
SSDEEP
12288:jhNMKBSfLJ0/OXH3T42AqwYVi8oin1f3EnYb3xl4mrofsMWFsyS:jhaRfKYXTjDVhoA1fPrTMZyS
Static task
static1
Behavioral task
behavioral1
Sample
JKL-764-JPL-93873637BNSS.SCR.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
JKL-764-JPL-93873637BNSS.SCR.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Lancetter/Milieubeskyttelsesreglementer/wcapi.dll
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Lancetter/Milieubeskyttelsesreglementer/wcapi.dll
Resource
win10v2004-20231215-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.giroplastic.com.br - Port:
587 - Username:
[email protected] - Password:
#no2@tec - Email To:
[email protected]
Targets
-
-
Target
JKL-764-JPL-93873637BNSS.SCR.exe
-
Size
622KB
-
MD5
136665ccdc5a00ac893337ca535a9b00
-
SHA1
b711f4996e91585fb28ea367613ae8994bb9dd84
-
SHA256
b47914d632508339a012e07cc4030b35b25a78665513276c26496affefd01b90
-
SHA512
b6dd243ddd19ef2f1e3640e58b99ef5f89f8a6e35cd064eb7edc6a2e11b071dcf15c3bcf8d0ea298acc00fac44d7d098c6519c05a785ba3d7da5a2459afd169c
-
SSDEEP
12288:jhNMKBSfLJ0/OXH3T42AqwYVi8oin1f3EnYb3xl4mrofsMWFsyS:jhaRfKYXTjDVhoA1fPrTMZyS
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
-
SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457
-
SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
-
SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
SSDEEP
192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score3/10 -
-
-
Target
Lancetter/Milieubeskyttelsesreglementer/wcapi.dll
-
Size
396KB
-
MD5
062434166c64d50b84518692be7e78dc
-
SHA1
86b24ae2fd5c7f396d2b920a113020dcd9ae4754
-
SHA256
5af5384cb1f83bab386ddf98e6b57639e896265008438a2730e17b93e65577e5
-
SHA512
bf85f59095f828e97a544ba0a1e348c03f5f27e59eb3e3f3d602922152a08f0848e27782db73594622f72510862780ac6898747002e8371cd2494f65c65c3d38
-
SSDEEP
6144:cfn5v+crgiX1sibsPdIqBaGTa/BIWZNGBmLbrTIdkDkwZYfQlYnx:a+crgmfbsFBaoGYfh
Score1/10 -