Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/04/2024, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 001 NEW SPARES.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RFQ 001 NEW SPARES.exe
Resource
win10v2004-20240412-en
General
-
Target
RFQ 001 NEW SPARES.exe
-
Size
708KB
-
MD5
08fc900324a6638bef917f0ca6817a72
-
SHA1
feddb0f8c85a6b4f3ab6f46e58adbcfc4d414888
-
SHA256
657d6ec7990d1192c0e20480932361cfd5689a959d475c19074a731fe821da8d
-
SHA512
4f03312dc309cbfde6d0889633e5827430e72fe99e76469ae7fc196d6bc28f96f35007343f04f6496ff6ae1172a4513f6a2afceeed63cd151224fb41c0aed281
-
SSDEEP
12288:+U1hF9WMQaD99zd8+liMp8FI4pSH33C83TmmKd4VilttA1GkSli:+UP2MZD99uIv7Dmm/VilDA1Gnl
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.albushrametalic.com - Port:
587 - Username:
[email protected] - Password:
GLBL1285# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2080 set thread context of 3040 2080 RFQ 001 NEW SPARES.exe 28 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2080 RFQ 001 NEW SPARES.exe 2080 RFQ 001 NEW SPARES.exe 2080 RFQ 001 NEW SPARES.exe 3040 RFQ 001 NEW SPARES.exe 3040 RFQ 001 NEW SPARES.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2080 RFQ 001 NEW SPARES.exe Token: SeDebugPrivilege 3040 RFQ 001 NEW SPARES.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28 PID 2080 wrote to memory of 3040 2080 RFQ 001 NEW SPARES.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 001 NEW SPARES.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 001 NEW SPARES.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\RFQ 001 NEW SPARES.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 001 NEW SPARES.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-