Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

QUOTE.exe

windows7-x64

10

QUOTE.exe

windows10-2004-x64

10

Infami/Met...ne.ps1

windows7-x64

8

Infami/Met...ne.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    86fd65c991039149a153bd61e8ffc9595fccdb8b4230be495ffc5e42eb84d6d4

  • Size

    1.2MB

  • Sample

    240315-cg3lhsdg91

  • MD5

    3f5e10b67063fedee5b41c5100b75583

  • SHA1

    771538ad273311b09c8c5c9f680cf18717a6a2aa

  • SHA256

    86fd65c991039149a153bd61e8ffc9595fccdb8b4230be495ffc5e42eb84d6d4

  • SHA512

    fed33cd0e6cb97173847a8787493499c07d120cd51d2ff1acc9b407e6e1a5f9f5d0af282e6979925c6944c161c91b853667a4a5392bbb4b8a3d81f3eaaf196e9

  • SSDEEP

    12288:WXcHy1gqOppGq+k1imLwauAZCjeqJKu7:WXcS1JOppNxw2wauTJH7

Score
10/10
agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      QUOTE.exe

    • Size

      346KB

    • MD5

      70c8145c188bf89c25f085e001c6f9a7

    • SHA1

      d3e24cdd7272965ba04b8a0a7013c79e2633f7aa

    • SHA256

      4cb733e05325fdf02dfaf5982ca2a8917373658aed1e328869077e92c6d73225

    • SHA512

      445f9f092241810359fcd7e319ec5f0dc40a4f19656484085a37201b5dd348a246bb1916b9ee526292cdab00068c5f2ddaacc259470c440d4bd82c6ad6cfa40c

    • SSDEEP

      6144:5XCKG5Hob1T0qQzmnMpv+j++KqfUuuMSR7EDaLLt+a5YiCmbnIGZmXjeqJKnuG2a:5XcHy1gqOppGq+k1imLwauAZCjeqJKuE

    Score
    10/10
    guloaderdownloaderagentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Infami/Metagaster/Brnehaveklasserne.Mom

    • Size

      53KB

    • MD5

      2a4402450d6e37b4c5f6434e8e2548ae

    • SHA1

      29b0d015b4c7420b576f3ce745b95f16f416045e

    • SHA256

      05e03c9da534face56a3181a98e7194ce73a4638f713523d26aa97486f427eea

    • SHA512

      e5a69a27041b0c1f8592861e820da036edc41cf3b0d630a6eea8e1cb8935ff88a5aec6a231e240c2c3fa52c47c64608ea84924cb6165170e3ee144335fbb4387

    • SSDEEP

      1536:7uclUIfUW1MRADKnHPiRLeZ1/3pJ45WhfDntzBZ:7unW1MBnaFeZ1/3pJ40Rz

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks