Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

WZAgent.exe

windows10-2004-x64

10

Resubmissions

22/09/2024, 09:23 UTC

240922-lcmh6ssclm 9

21/09/2024, 08:10 UTC

240921-j2tbxasfjj 9

21/09/2024, 07:38 UTC

240921-jggsda1gjl 9

28/07/2024, 17:11 UTC

240728-vp9c5syajh 10

18/06/2024, 14:08 UTC

240618-rfnhjaxanf 10

Analysis

  • max time kernel
    41s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/06/2024, 14:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WZAgent.exe

  • Size

    26.2MB

  • MD5

    4cf978f2749291d8d9a722cf8bd9d9ea

  • SHA1

    2580a9be8bc6994987cc4951a4690efd7077ea92

  • SHA256

    ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c

  • SHA512

    d1ba2ea6a06cf5241bd26319b7bd2da7cb3ca0453496703fa66413cc56edf9893414a970dfb67451cfb85ef735305986958ba852287b3dc63b7cf28ab351d61d

  • SSDEEP

    786432:Ov1EWULlsocwpd3XHEquH6rdEePFG/7vG43EY6:Ov1EWusor8j6r714

Score
10/10
agentteslaagilenetevasionkeyloggerspywarestealerthemidatrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
    "C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:632
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3724

    Network

    • flag-us
      DNS
      playagent.io
      WZAgent.exe
      Remote address:
      8.8.8.8:53
      Request
      playagent.io
      IN A
    • flag-us
      DNS
      playagent.io
      WZAgent.exe
      Remote address:
      8.8.8.8:53
      Request
      playagent.io
      IN A
    • flag-us
      DNS
      playagent.io
      WZAgent.exe
      Remote address:
      8.8.8.8:53
      Request
      playagent.io
      IN A
    • flag-us
      DNS
      playagent.io
      WZAgent.exe
      Remote address:
      8.8.8.8:53
      Request
      playagent.io
      IN A
    • flag-us
      DNS
      playagent.io
      WZAgent.exe
      Remote address:
      8.8.8.8:53
      Request
      playagent.io
      IN A
    No results found
    • 8.8.8.8:53
      playagent.io
      dns
      WZAgent.exe
      290 B
       5

      DNS Request

      playagent.io

      DNS Request

      playagent.io

      DNS Request

      playagent.io

      DNS Request

      playagent.io

      DNS Request

      playagent.io

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll
      Filesize

      4.0MB

      MD5

      8e839b26c5efed6f41d6e854e5e97f5b

      SHA1

      5cb71374f72bf6a63ff65a6cda57ff66c3e54836

      SHA256

      1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011

      SHA512

      92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

      Download Submit

    • memory/632-21-0x0000000000400000-0x0000000002606000-memory.dmp

      Filesize

      34.0MB

      Download

    • memory/632-32-0x0000000029860000-0x00000000298D6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/632-5-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-6-0x0000000000400000-0x0000000002606000-memory.dmp

      Filesize

      34.0MB

      Download

    • memory/632-7-0x0000000000400000-0x0000000002606000-memory.dmp

      Filesize

      34.0MB

      Download

    • memory/632-8-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-1-0x00007FFF05914000-0x00007FFF05915000-memory.dmp

      Filesize

      4KB

      Download

    • memory/632-15-0x00007FFEE5870000-0x00007FFEE6399000-memory.dmp

      Filesize

      11.2MB

      Download

    • memory/632-17-0x00007FFEE5870000-0x00007FFEE6399000-memory.dmp

      Filesize

      11.2MB

      Download

    • memory/632-18-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-20-0x00007FFEE5870000-0x00007FFEE6399000-memory.dmp

      Filesize

      11.2MB

      Download

    • memory/632-0-0x0000000000400000-0x0000000002606000-memory.dmp

      Filesize

      34.0MB

      Download

    • memory/632-2-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-24-0x0000000021530000-0x0000000022388000-memory.dmp

      Filesize

      14.3MB

      Download

    • memory/632-22-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-25-0x00000000053E0000-0x0000000005456000-memory.dmp

      Filesize

      472KB

      Download

    • memory/632-26-0x0000000020860000-0x0000000020A52000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/632-27-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-30-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-29-0x00007FFEE5870000-0x00007FFEE6399000-memory.dmp

      Filesize

      11.2MB

      Download

    • memory/632-31-0x0000000029730000-0x00000000297E2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/632-23-0x00007FFEF4840000-0x00007FFEF498E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/632-35-0x00007FFEE5870000-0x00007FFEE6399000-memory.dmp

      Filesize

      11.2MB

      Download

    • memory/632-36-0x00007FFF058B0000-0x00007FFF05B79000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/632-37-0x0000000000400000-0x0000000002606000-memory.dmp

      Filesize

      34.0MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.