Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlsx
-
Size
675KB
-
Sample
240607-bzgakafd3x
-
MD5
71e83cfe190375b478e42933ac4e1997
-
SHA1
bd4ce42a4599837b7a819e41ab740881f2f9bbd1
-
SHA256
4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0
-
SHA512
a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3
-
SSDEEP
12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw
Static task
static1
Behavioral task
behavioral1
Sample
4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlam
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlam
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlsx
-
Size
675KB
-
MD5
71e83cfe190375b478e42933ac4e1997
-
SHA1
bd4ce42a4599837b7a819e41ab740881f2f9bbd1
-
SHA256
4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0
-
SHA512
a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3
-
SSDEEP
12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-