Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Mapper.exe
-
Size
1.7MB
-
Sample
240720-2ajbqszcll
-
MD5
5d0b35b51c1b7f9712b36edb255e9072
-
SHA1
aff304e6112c109530642645cd6c3538d7ffc7f4
-
SHA256
6114bee7621c4e309db46f13d535f874e27408632b690139882974eeaf1fff7a
-
SHA512
5515c662d9567fe97b355586dabc7ef617fc2d9a02fbe717cd3822e83e58aef139e9e343f2ad9c48ec1461dd460dde805a3b93383322929f7bba868f8496495b
-
SSDEEP
24576:zaD8LXqqmV6WHwoo/vxsVCNX1zEOUaiesAVAdX7z5tdXegUbyGdSzVw8A/Vi:pWJvHw3XxkCPzNzsASdXvUg5Gd/
Malware Config
Targets
-
-
Target
Mapper.exe
-
Size
1.7MB
-
MD5
5d0b35b51c1b7f9712b36edb255e9072
-
SHA1
aff304e6112c109530642645cd6c3538d7ffc7f4
-
SHA256
6114bee7621c4e309db46f13d535f874e27408632b690139882974eeaf1fff7a
-
SHA512
5515c662d9567fe97b355586dabc7ef617fc2d9a02fbe717cd3822e83e58aef139e9e343f2ad9c48ec1461dd460dde805a3b93383322929f7bba868f8496495b
-
SSDEEP
24576:zaD8LXqqmV6WHwoo/vxsVCNX1zEOUaiesAVAdX7z5tdXegUbyGdSzVw8A/Vi:pWJvHw3XxkCPzNzsASdXvUg5Gd/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Looks for VirtualBox Guest Additions in registry
-
Downloads MZ/PE file
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-