Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

RFQ3530904...24.vbs

windows7-x64

10

RFQ3530904...24.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nRFQ3530904_3000030453_19.03.2024.iso

  • Size

    228KB

  • Sample

    240319-qtbkfsea5s

  • MD5

    d42f73f698fb3919de5c52afdcdd2c96

  • SHA1

    58b5d63b042bc7279ff1f93b96c1aa225638aac6

  • SHA256

    589ff5fe38affd1583e9d10185a72c7ecfcbe6a7f31e7bdb3d4fd421fa6fc028

  • SHA512

    9bf762229d6fa67e37dc033efc4f844fcb43589aacde79319194035d0515c663bc16ed50daef04ffcd9d6b7274af651189a0ec4e76eba6abb751ba56076bdeaa

  • SSDEEP

    6144:7c4yENVOY0NpVXpK68kH3DPbkhZi3eNRQxkjW4RBt:EPZTOVRf

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.oysterglobalsa.com.ar
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Tobiasinfo1

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      RFQ3530904_3000030453_19.03.2024.vbs

    • Size

      167KB

    • MD5

      a66a59b3ecfeb23d87909fc5f251538e

    • SHA1

      b0317dbed465df71b328e35776cf8bb5398e58ea

    • SHA256

      9531a0453fb29dafae440ba874c0178ff913de9b600f118b3d4447036989deec

    • SHA512

      334ffdcc9e91be2e72b26979f1ff09a98882270accd28161696e54a3f8eb5bcee944ff6510b3c338d2ca0d75221398e87075db572cbfd0c6225a1ed6793ab6f0

    • SSDEEP

      3072:sc4yENVBkYr4LhpVXpKnupn8kH3DPbkhZi3eNR+FXOukEbs1cf4GgBo4K0QX3:sc4yENVOY0NpVXpK68kH3DPbkhZi3eNq

    Score
    10/10
    agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks