Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

INVOICE.exe

windows7-x64

10

INVOICE.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5712a2391ceea014323d4e43edd48069d4c2887b694df861db4a35ff32b20d64.7z

  • Size

    66KB

  • Sample

    240514-bnanmsdc3w

  • MD5

    4069b07fd62a80aa4b52c3ce72a9cd42

  • SHA1

    6b5b417375323c00fd7ed56758248fcf27efa697

  • SHA256

    5712a2391ceea014323d4e43edd48069d4c2887b694df861db4a35ff32b20d64

  • SHA512

    b2b693b9fb85dfe366c9d3c1ce938d15f75a9a27c548cb74eb9df5b1dfcc2ebcf21ddbbc2e27043866bfa9cf52ee2342965c10698b208f2f485167762409783c

  • SSDEEP

    1536:pzkAnBnacO2uE4oxZk7MQ4vB5DrPCJSDyiCiceI:LnMcORsXnQbiCiceI

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    sendaadmin@marfinllc.shop
  • Password:
    YuWsikfV67lD
  • Email To:
    admin@marfinllc.shop

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    66.29.151.236
  • Port:
    587
  • Username:
    sendaadmin@marfinllc.shop
  • Password:
    YuWsikfV67lD

Targets

    • Target

      INVOICE.exe

    • Size

      205KB

    • MD5

      494992eed787907766ef59dbec953d6b

    • SHA1

      ff02df9c31bd5462c912c84b040430682ac0304c

    • SHA256

      92fa9b6f4856cfd35907ac59a621ab7dcbb49550ae29b9131d570f5c1b6c4313

    • SHA512

      7c7318962a1273d1635f5fbf9dbd27f667148a6a2c30bcbf9a33440dabf1f566d40eaeee3a635d1742816bfa5c3fe2fe0efd48eb8b1a43e81fc575105c161943

    • SSDEEP

      3072:P8ANnCDDRvLGprOAOkGt6+duWA/t/SHUebbxCbGgKk12qk/FPYm21KLbDoUssNXA:UkstvLGcxLbMUMK2dH

    Score
    10/10
    agentteslazgratkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.