Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 19:53
Static task
static1
1 signatures
General
-
Target
Redwolf.Crypter.exe
-
Size
2.7MB
-
MD5
05e029861eabed701354fb9be1531758
-
SHA1
c5c6a2a5aa45222b089cf7d49e6868b123dec237
-
SHA256
47186ae4cf99e391580f17ea6549fc05c6a4839f7ce1d2ec7c60f52d0438ba05
-
SHA512
fb6e5beff29b7d9a3400fe4c8caa79affd88dddf878378bb70f54bcc3a8237f6097ae21cb857a674da919b8706aecab1d625a319ec79ceb53dca27aaeb8f74c6
-
SSDEEP
49152:MA60A6FIm7P/Go4SkGMITYbNbNWo4kSH3OqtwIjkqXfd+/9AqAanV:aSFhP/GogGMIT4bNJFY3OqtXkqXf0FPb
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/4080-6-0x0000000005410000-0x0000000005624000-memory.dmp family_agenttesla -
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts.bak Redwolf.Crypter.exe File opened for modification C:\Windows\System32\drivers\etc\hosts.bak Redwolf.Crypter.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Redwolf.Crypter.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Redwolf.Crypter.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Redwolf.Crypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Redwolf.Crypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Redwolf.Crypter.exe