Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2405_CHITA...v0.exe

windows7-x64

10

2405_CHITA...v0.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

EDDS_EQUIP...v0.exe

windows7-x64

10

EDDS_EQUIP...v0.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    144s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2405_CHITA_PJT_EQUIP_SPECS_DETAILS_Rev0.exe

  • Size

    604KB

  • MD5

    3324de16eb0e440903c72cbee9a45745

  • SHA1

    9ad4c703faa1fb94f6964c4d58f9c12093d1476b

  • SHA256

    faa9ce28bfc9c5fb0269a22b8aa8254cf41b92fef96b777f96bee32c3ccfaf31

  • SHA512

    5448f0e94cf05463e1da895d08c2a2eb65d2290d84e96afc9e4aa0c2f6cf1ed2300ad5c135b7c78ca513eb1d6f3706afe9188488c6046538627b681b88648c9f

  • SSDEEP

    6144:awHYKFddt6tm77A6KHV0aB/6bt6pjeWdok8/7AaRuTJ+lVO3DVX4EM5h8wk/hxlY:aiFZhAH10EjNRb8DFSuOOJnHYj9o

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2405_CHITA_PJT_EQUIP_SPECS_DETAILS_Rev0.exe
    "C:\Users\Admin\AppData\Local\Temp\2405_CHITA_PJT_EQUIP_SPECS_DETAILS_Rev0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\2405_CHITA_PJT_EQUIP_SPECS_DETAILS_Rev0.exe
      "C:\Users\Admin\AppData\Local\Temp\2405_CHITA_PJT_EQUIP_SPECS_DETAILS_Rev0.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsq4930.tmp\System.dll
    Filesize

    12KB

    MD5

    e227391c7ff576135eac4871e78ebe2d

    SHA1

    85d4bdbb79bdc47095ca35ed2141b2e64d029218

    SHA256

    edf12a3040cff0d801a86c02313d6605b41d766807f3dcb261754cf01b4e14b9

    SHA512

    06f1b65dd980c6aac17518faf34d200453fedf893efa01bfc71128ccb1a70abcd7165f581c9789caf80776fac313a4e754df7b58f7467930a666de37b55396a6

    Download Submit

  • memory/856-26-0x0000000004B80000-0x00000000069EF000-memory.dmp

    Filesize

    30.4MB

    Download

  • memory/856-10-0x0000000077CC1000-0x0000000077DE1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/856-11-0x0000000074915000-0x0000000074916000-memory.dmp

    Filesize

    4KB

    Download

  • memory/856-9-0x0000000004B80000-0x00000000069EF000-memory.dmp

    Filesize

    30.4MB

    Download

  • memory/4608-12-0x0000000001720000-0x000000000358F000-memory.dmp

    Filesize

    30.4MB

    Download

  • memory/4608-25-0x00000000004C0000-0x0000000001714000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4608-27-0x00000000004C0000-0x0000000000500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4608-28-0x00000000363C0000-0x0000000036964000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4608-29-0x0000000033ED0000-0x0000000033F36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4608-31-0x00000000360D0000-0x0000000036120000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4608-32-0x0000000036B70000-0x0000000036C02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4608-33-0x0000000036380000-0x000000003638A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4608-35-0x0000000001720000-0x000000000358F000-memory.dmp

    Filesize

    30.4MB

    Download