Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

MV TBN_VLS...ls.scr

windows7-x64

10

MV TBN_VLS...ls.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 14:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MV TBN_VLS's DETAILS.xls.scr

  • Size

    701KB

  • MD5

    f837b18ae77cf2e191972bc723ee5ebc

  • SHA1

    31f548b020ff5c73957dc74fc702574322e658c8

  • SHA256

    28e686d3d4c2ca997fdabbfb88c07afc77920015217bd22d82f7b08334010044

  • SHA512

    2203198e130abcfbae21c280512705cdc94352d5a3324fa1dd372caa5ad661c262c4f358a142e43e4d6603a079de5b851e5ea5e0d97abe95114b18d19e162312

  • SSDEEP

    12288:PbxdKt/rFfa7FpQpWc8nNZQuGu8Qs7cyytHeVA4sas66mBHu8ecI2:zjKN5i7XQ8c8n0xdcyyQ1F72N2

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MV TBN_VLS's DETAILS.xls.scr
    "C:\Users\Admin\AppData\Local\Temp\MV TBN_VLS's DETAILS.xls.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Users\Admin\AppData\Local\Temp\MV TBN_VLS's DETAILS.xls.scr
      "C:\Users\Admin\AppData\Local\Temp\MV TBN_VLS's DETAILS.xls.scr"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4116
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:392

    Network

    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      152.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      152.107.17.2.in-addr.arpa
      IN PTR
      Response
      152.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-152deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      172.217.169.10
      chromewebstore.googleapis.com
      IN A
      216.58.212.234
      chromewebstore.googleapis.com
      IN A
      172.217.169.74
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN A
      Response
      pki.goog
      IN A
      216.239.32.29
    • flag-us
      DNS
      pki.goog
      Remote address:
      8.8.8.8:53
      Request
      pki.goog
      IN Unknown
      Response
    • flag-us
      GET
      http://pki.goog/gsr1/gsr1.crt
      Remote address:
      216.239.32.29:80
      Request
      GET /gsr1/gsr1.crt HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 797
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Mon, 03 Jun 2024 14:16:01 GMT
      Expires: Mon, 03 Jun 2024 15:06:01 GMT
      Cache-Control: public, max-age=3000
      Age: 693
      Last-Modified: Wed, 20 May 2020 16:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gtsr1.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gtsr1.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1371
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Mon, 03 Jun 2024 14:23:09 GMT
      Expires: Mon, 03 Jun 2024 15:13:09 GMT
      Cache-Control: public, max-age=3000
      Age: 265
      Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      GET
      http://pki.goog/repo/certs/gts1c3.der
      Remote address:
      216.239.32.29:80
      Request
      GET /repo/certs/gts1c3.der HTTP/1.1
      Host: pki.goog
      Connection: keep-alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
      Accept-Encoding: gzip, deflate
      Accept-Language: en-US,en;q=0.9
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Encoding: gzip
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1304
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Mon, 03 Jun 2024 13:46:13 GMT
      Expires: Mon, 03 Jun 2024 14:36:13 GMT
      Cache-Control: public, max-age=3000
      Age: 2481
      Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
      Content-Type: application/pkix-cert
      Vary: Accept-Encoding
    • flag-us
      DNS
      10.169.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.169.217.172.in-addr.arpa
      IN PTR
      Response
      10.169.217.172.in-addr.arpa
      IN PTR
      lhr25s26-in-f101e100net
    • flag-us
      DNS
      29.32.239.216.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.32.239.216.in-addr.arpa
      IN PTR
      Response
      29.32.239.216.in-addr.arpa
      IN PTR
      any-in-201d1e100net
    • flag-us
      DNS
      api.ipify.org
      MV TBN_VLS's DETAILS.xls.scr
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      104.26.13.205
      api.ipify.org
      IN A
      172.67.74.152
      api.ipify.org
      IN A
      104.26.12.205
    • flag-us
      GET
      https://api.ipify.org/
      MV TBN_VLS's DETAILS.xls.scr
      Remote address:
      104.26.13.205:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Mon, 03 Jun 2024 14:27:42 GMT
      Content-Type: text/plain
      Content-Length: 14
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 88e05d8e0f679484-LHR
    • flag-us
      DNS
      205.13.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.13.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      beirutrest.com
      MV TBN_VLS's DETAILS.xls.scr
      Remote address:
      8.8.8.8:53
      Request
      beirutrest.com
      IN A
      Response
      beirutrest.com
      IN A
      50.87.144.157
    • flag-us
      DNS
      157.144.87.50.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.144.87.50.in-addr.arpa
      IN PTR
      Response
      157.144.87.50.in-addr.arpa
      IN PTR
      gator3122 hostgatorcom
    • flag-us
      DNS
      203.107.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.107.17.2.in-addr.arpa
      IN PTR
      Response
      203.107.17.2.in-addr.arpa
      IN PTR
      a2-17-107-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      34.56.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      34.56.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.192.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.192.11.51.in-addr.arpa
      IN PTR
      Response
    • 172.217.169.10:443
      chromewebstore.googleapis.com
      tls
      909 B
       5.2kB
       8
      7
    • 216.239.32.29:80
      http://pki.goog/repo/certs/gts1c3.der
      http
      1.3kB
       6.1kB
       10
      10

      HTTP Request

      GET http://pki.goog/gsr1/gsr1.crt

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gtsr1.der

      HTTP Response

      200

      HTTP Request

      GET http://pki.goog/repo/certs/gts1c3.der

      HTTP Response

      200
    • 104.26.13.205:443
      https://api.ipify.org/
      tls, http
      MV TBN_VLS's DETAILS.xls.scr
      946 B
       5.5kB
       11
      10

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 50.87.144.157:21
      beirutrest.com
      ftp
      MV TBN_VLS's DETAILS.xls.scr
      646 B
       1.2kB
       12
      13
    • 50.87.144.157:32278
      beirutrest.com
      MV TBN_VLS's DETAILS.xls.scr
      1.0kB
       132 B
       5
      3
    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      152.107.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      152.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       283 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      172.217.169.10
      216.58.212.234
      172.217.169.74
      142.250.179.234
      142.250.180.10
      142.250.187.202
      142.250.187.234
      142.250.178.10
      172.217.16.234
      142.250.200.10
      142.250.200.42
      216.58.201.106
      216.58.204.74

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       132 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       70 B
       1
      1

      DNS Request

      pki.goog

      DNS Response

      216.239.32.29

    • 8.8.8.8:53
      pki.goog
      dns
      54 B
       128 B
       1
      1

      DNS Request

      pki.goog

    • 8.8.8.8:53
      10.169.217.172.in-addr.arpa
      dns
      73 B
       112 B
       1
      1

      DNS Request

      10.169.217.172.in-addr.arpa

    • 8.8.8.8:53
      29.32.239.216.in-addr.arpa
      dns
      72 B
       107 B
       1
      1

      DNS Request

      29.32.239.216.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      MV TBN_VLS's DETAILS.xls.scr
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.26.13.205
      172.67.74.152
      104.26.12.205

    • 8.8.8.8:53
      205.13.26.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      205.13.26.104.in-addr.arpa

    • 8.8.8.8:53
      beirutrest.com
      dns
      MV TBN_VLS's DETAILS.xls.scr
      60 B
       76 B
       1
      1

      DNS Request

      beirutrest.com

      DNS Response

      50.87.144.157

    • 8.8.8.8:53
      157.144.87.50.in-addr.arpa
      dns
      72 B
       109 B
       1
      1

      DNS Request

      157.144.87.50.in-addr.arpa

    • 8.8.8.8:53
      203.107.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      203.107.17.2.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      34.56.20.217.in-addr.arpa
      dns
      71 B
       131 B
       1
      1

      DNS Request

      34.56.20.217.in-addr.arpa

    • 8.8.8.8:53
      50.192.11.51.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      50.192.11.51.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4116-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4116-20-0x0000000074D90000-0x0000000075540000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4116-19-0x0000000074D90000-0x0000000075540000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4116-18-0x00000000064A0000-0x00000000064F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4116-16-0x0000000004F60000-0x0000000004FC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4116-15-0x0000000074D90000-0x0000000075540000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4116-13-0x0000000074D90000-0x0000000075540000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4664-5-0x0000000004B80000-0x0000000004B8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4664-8-0x0000000007C00000-0x0000000007C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4664-9-0x0000000007C40000-0x0000000007CC2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/4664-10-0x000000000A4B0000-0x000000000A54C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4664-7-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4664-12-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4664-6-0x0000000007BB0000-0x0000000007BC6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4664-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4664-4-0x0000000074D90000-0x0000000075540000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4664-17-0x0000000074D90000-0x0000000075540000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4664-3-0x0000000004C10000-0x0000000004CA2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4664-2-0x00000000051C0000-0x0000000005764000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4664-1-0x00000000000C0000-0x0000000000176000-memory.dmp

      Filesize

      728KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.