Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

AFC Drawin...se.exe

windows7-x64

10

AFC Drawin...se.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AFC Drawing for POMB Support Base.exe

  • Size

    245KB

  • Sample

    240506-h4af5sdb4s

  • MD5

    eaa4063b22edbfb291c5d66acac6dfe3

  • SHA1

    416ed8f73fb134cac9fecb3cb5dea409317ebf21

  • SHA256

    5bc488bb19629699f5ef130f3bc37a5edf155dedb22220bfbfa49bf8bee45901

  • SHA512

    64bb802d17433e4c4bbcb1bf76a353326b141fd2cfb55440e64dff3576e61d6029ed95844ddeb2dbcd29852439486c5c05b107aada6b613948efe423e43bfe9e

  • SSDEEP

    3072:np6d0SCBM+0sr5h5gVBqHWniEHcsQh6WdNUhjVI8l+X1845b46DsFG+if:0H8512UfnUI1jtf

Score
10/10
agentteslazgratcollectionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1263338506:AAEo1afaqZcanZqwKGJF2HA7xr6YOHyXHtU/

Targets

    • Target

      AFC Drawing for POMB Support Base.exe

    • Size

      245KB

    • MD5

      eaa4063b22edbfb291c5d66acac6dfe3

    • SHA1

      416ed8f73fb134cac9fecb3cb5dea409317ebf21

    • SHA256

      5bc488bb19629699f5ef130f3bc37a5edf155dedb22220bfbfa49bf8bee45901

    • SHA512

      64bb802d17433e4c4bbcb1bf76a353326b141fd2cfb55440e64dff3576e61d6029ed95844ddeb2dbcd29852439486c5c05b107aada6b613948efe423e43bfe9e

    • SSDEEP

      3072:np6d0SCBM+0sr5h5gVBqHWniEHcsQh6WdNUhjVI8l+X1845b46DsFG+if:0H8512UfnUI1jtf

    Score
    10/10
    agentteslazgratcollectionkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.