Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

27f8fe9e4c...8c.exe

windows7-x64

10

27f8fe9e4c...8c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0111d8dff50eb7684ed4baf327b93aa5.bin

  • Size

    656KB

  • Sample

    240420-bcnfcsda5w

  • MD5

    a1d14e04340c21939a024328bacd451d

  • SHA1

    997c658703852e689f2d6e2a627f1bb5124ebd21

  • SHA256

    1cb0ca3af59255865a8c8563014eaf58d1f60b5769c8bfb762476dfa880d5ecb

  • SHA512

    d7215dcfa3cd0de5f39a2a63fe2db99bc8bcaf2e108bff7dc3517f5fbefe2c9bcff02a110e5add6dc184f557ee54b34ee17045099ff9f08df96ef1777842b099

  • SSDEEP

    12288:tH3L+AIGfEYvzAGW+0fy7L4HY6e6nHbYx8RL2vz1+QksjP4ADmWSOAOye0NgD8r:tb+Ikb/fy7QE6n7xp2vAQksjP4orye2f

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.viexaisa-gr.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ($eyukx1

Targets

    • Target

      27f8fe9e4c2cf7bedf462a311aaf91698fb375f7002cdb3b290e872b6a27768c.exe

    • Size

      684KB

    • MD5

      0111d8dff50eb7684ed4baf327b93aa5

    • SHA1

      e88281f919ce248f011265396f60e6245f5a639c

    • SHA256

      27f8fe9e4c2cf7bedf462a311aaf91698fb375f7002cdb3b290e872b6a27768c

    • SHA512

      ece7bd6f1101d8f028033876db2735c3b9fd11aabf6157ca08a2025aed969b4cf4baf7f9a4f2750edcf73c08593c2a88a49359684270a3592875b303d5043b0d

    • SSDEEP

      12288:RVQmxUxWxKWNG/6xdWySZeh3I7O1/mnfv+hHG0i1e9f7qmKNDTKvAkR:Iq31PGehQc/myHG0weSPKf

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks