Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2c79efff8958d72ea87da05593ae8e168f7c0e9bcbbc5f73ec390784337e99df.zip
-
Size
1003KB
-
Sample
240316-cmq5nshd9y
-
MD5
919b5bd425ab7d5f075dea732e154502
-
SHA1
e2ef46ae4e7c52716aa86427ad86a1f06ea74daa
-
SHA256
2c79efff8958d72ea87da05593ae8e168f7c0e9bcbbc5f73ec390784337e99df
-
SHA512
d8d4bf05879ae83579303bf3127fe4f1c79dbc6468eee549ce709a8e5d639040885097c9f04448a568a361dcf05bea1b905c78acad12a2fe8150363f08f846c6
-
SSDEEP
24576:7nX1Vr3eCTE68k1squ/y70/Yvu0DLDP8RFacb8bb2r:zeCTKkqq+yA/YW6T2IP2r
Static task
static1
Behavioral task
behavioral1
Sample
Bibeskftigelserne221.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Bibeskftigelserne221.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Schizopod/Nonmakeup101.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Schizopod/Nonmakeup101.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
hwuo jybd dtga lmyz
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
hwuo jybd dtga lmyz - Email To:
[email protected]
Targets
-
-
Target
Bibeskftigelserne221.exe
-
Size
1.2MB
-
MD5
792dec181c3f286826d04aecd6cf32f1
-
SHA1
d71c41fd445053571453dd43f8071e058de19ced
-
SHA256
ec9fe9526ec132e17c934f5b3993f164b8cb5ec15813171c04f63ff563ad4f1e
-
SHA512
fddd91dc77476ba57be516a4a4893beadcb84cf7d916bc80fda92640ec8a5a6b3e3a3efba72f5d56b9a0af6bf2a8092d40131825ed2c10b99a1367e47c169748
-
SSDEEP
24576:7BG3e6TOKsix+24/2LoxYHum/1DJQRzEWbo/bwo:dGe6TOiE202sxYOO10UDwo
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Schizopod/Nonmakeup101.Pan55
-
Size
53KB
-
MD5
2e56e126a7f68c9dbb6167bfc1cd26c2
-
SHA1
e45b4e9dff74f0711968994253b8fcaf39a5f8e3
-
SHA256
b3fb58fdae2d31784f1b1c4f62b2c20a985789de7cb63b6e4748168aac4fb70a
-
SHA512
15b0861ae57b05cc8906d8706332797da2152d44f16ba4c89da37fc6ec5753d543e890d898ecda384bcf1cf18894291a94262959dd7f395649e220629a814e3d
-
SSDEEP
1536:Gz9YtlEnPI/VDPvl1vT47lZs98nds/Z5m3:0beDPtBTEaE2/C
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-