Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9a9b3cf198...68.exe

windows7-x64

10

9a9b3cf198...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 14:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe

  • Size

    631KB

  • MD5

    00261db2bfac32edfbdbf38b51370c13

  • SHA1

    6de5e2fcfb1f6195d6b241da62b9c9888f0ca44f

  • SHA256

    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68

  • SHA512

    a9c4602fd38f366077d851b89f793be0b2f44b7dd306590b62b4a8ee53b3bf6c828f060bc7305539ecce133a255c8f04b8d3200c61750183f50619fc620e2dac

  • SSDEEP

    12288:RwfufVLrggT2l/PhteSmaYmpMMnFMc4v3CPkQgdOeXk/U:Rw0V/gG8/PhtqaY2FgOck/U

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    testlab@apexrnun.com
  • Password:
    %qroUozO;(C2Rlyb

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    testlab@apexrnun.com
  • Password:
    %qroUozO;(C2Rlyb
  • Email To:
    testbox@apexrnun.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    "C:\Users\Admin\AppData\Local\Temp\9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Users\Admin\AppData\Local\Temp\9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
      "C:\Users\Admin\AppData\Local\Temp\9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1796

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ip-api.com
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 04 Sep 2024 14:53:21 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    mail.apexrnun.com
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.apexrnun.com
    IN A
    Response
    mail.apexrnun.com
    IN A
    185.196.9.150
  • flag-us
    DNS
    150.9.196.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    150.9.196.185.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    310 B
     347 B
     5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 185.196.9.150:587
    mail.apexrnun.com
    smtp-submission
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    2.7kB
     5.4kB
     20
    23
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    mail.apexrnun.com
    dns
    9a9b3cf1980533ad02913deca0cb3c9a16a26f6a73e320bb707150a3db4c2b68.exe
    63 B
     79 B
     1
    1

    DNS Request

    mail.apexrnun.com

    DNS Response

    185.196.9.150

  • 8.8.8.8:53
    150.9.196.185.in-addr.arpa
    dns
    72 B
     149 B
     1
    1

    DNS Request

    150.9.196.185.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1796-11-0x00000000059B0000-0x0000000005A16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1796-9-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1796-15-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1796-14-0x0000000006EF0000-0x0000000006F40000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1796-12-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1796-10-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4652-4-0x0000000005930000-0x000000000593A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4652-8-0x0000000005970000-0x0000000005978000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4652-1-0x0000000000D60000-0x0000000000E04000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4652-7-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4652-6-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4652-5-0x0000000005AA0000-0x0000000005B10000-memory.dmp

    Filesize

    448KB

    Download

  • memory/4652-0-0x000000007515E000-0x000000007515F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4652-13-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4652-3-0x0000000005800000-0x0000000005892000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4652-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

    Filesize

    5.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.