Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
05/09/2024, 01:57 UTC
General
-
Target
f84fb3796d2afde51b6249b7656cef901cf8b66ae2ea5ba105dabc8683cf4236.exe
-
Size
667KB
-
MD5
e046d7010507e6501ab1c686631afd23
-
SHA1
60d78477fd3e9a17f782a3abdfdea5d3d7fb5239
-
SHA256
f84fb3796d2afde51b6249b7656cef901cf8b66ae2ea5ba105dabc8683cf4236
-
SHA512
1684cb55bcb4d08c75e6bef3ff8833cf0721899d9ab67f7e6bc4b3bf2531aab240ed8ebccdeb543775806d2b2db4f81a6754596234a73d936756837d385998b1
-
SSDEEP
12288:xs05Es3wtYY5taht1nxVmRhHOh50p8ykbOLVtG7mLbrxUh:uyEs3wyEtsfxVm7k28/RKTxU
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.jeepcommerce.rs - Port:
21 - Username:
d09913@jeepcommerce.rs - Password:
q[0r3BqZHV[u
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f84fb3796d2afde51b6249b7656cef901cf8b66ae2ea5ba105dabc8683cf4236.exe"C:\Users\Admin\AppData\Local\Temp\f84fb3796d2afde51b6249b7656cef901cf8b66ae2ea5ba105dabc8683cf4236.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSapi.ipify.orgRemote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A172.67.74.152api.ipify.orgIN A104.26.13.205api.ipify.orgIN A104.26.12.205 -
GEThttps://api.ipify.org/Remote address:172.67.74.152:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 01:58:02 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8be29ca6cdf3cdc2-LHR
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/line/?fields=hostingRemote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 01:58:01 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 58
X-Rl: 43
-
172.67.74.152:443https://api.ipify.org/tls, http
HTTP Request
GET https://api.ipify.org/HTTP Response
200 -
208.95.112.1:80http://ip-api.com/line/?fields=hostinghttp
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200
-
8.8.8.8:53api.ipify.orgdns
DNS Request
api.ipify.org
DNS Response
172.67.74.152104.26.13.205104.26.12.205
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
696KB
-
Filesize
6.9MB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
528KB
-
Filesize
264KB