Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
4fb44ab10d15da11952bca16bae94bd4929eed33fdf277c184bf903f8bbe2c1e.zip
-
Size
636KB
-
Sample
240213-dhhs6seh36
-
MD5
f432e138bab35689962a8f5db4943c68
-
SHA1
8a177b6eff085b725b7852e3d5978923b058983a
-
SHA256
4fb44ab10d15da11952bca16bae94bd4929eed33fdf277c184bf903f8bbe2c1e
-
SHA512
00589150e8f8eb73477e27a5c0e82130dac237500533dc72bb37d9ca6c8a0da4b3f2874fe9da629bcb312eaa00ade9adf31412d7966b258ae5297f458a412eac
-
SSDEEP
12288:hxTk5gQ+GzG4X4xWk+l8Kt/07oTcactW71AT2NM+3JRStdSByO1nrsWFJDo3o:hJd6iWkTC07RoZ7M+3JydSByonrsAo3o
Static task
static1
Behavioral task
behavioral1
Sample
Dispatch Details.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Dispatch Details.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sdlbd.net - Port:
587 - Username:
[email protected] - Password:
4-CKMOaqPd*Y - Email To:
[email protected]
Targets
-
-
Target
Dispatch Details.exe
-
Size
666KB
-
MD5
311d25fbd99f007e030d5e0ee174f73c
-
SHA1
b055ceb16c9a6eb74875f47b3746851e8ecccedd
-
SHA256
6b8bddabcfb3f12258d513da1d26230a9ca39b3d1796afd63fa32cb9d29594db
-
SHA512
b26231ca787e0a5875c6c61b054205d94aeac47e2054448b890e76dc99bb7c3b77e7e8a630af0ebef5684985dda47f41c605531bc0eba81b181d1efcf64c3af4
-
SSDEEP
12288:IxEd6x+J3cYI8CLWk+lyKt/0/iTwactW75AT2645dQgv28bt2m+T4Y4nq8syWxF:IxcGOIxWknC0/5olxKx8MmrI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-