Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

K98766700.exe

windows7-x64

10

K98766700.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    99c0e75f8605e8ca554aaa823b36b795097c54fc58bb14eb13e22beac0054d57

  • Size

    585KB

  • Sample

    241214-bjpxrssmgy

  • MD5

    6bd15ba8e668389936424c0ae33aa249

  • SHA1

    c462b8382500d499e840f95dfc9dbf3edd635375

  • SHA256

    99c0e75f8605e8ca554aaa823b36b795097c54fc58bb14eb13e22beac0054d57

  • SHA512

    c7458b8c954c661e956f8fefc498884c2e3f5672a56d63368d29076fd8f6a850cfb78012664e3c5498849eff29d2cfce0308729a254204677a1f017ad64396b4

  • SSDEEP

    12288:8j8Gx7KrANdY1jXS4xriQO4U2C+MqSh8Bm+QlxH08FhMaXNuM7eZ:8p7Kr2dY1jXNxp997CHTEaXNuRZ

Score
10/10
agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.antoniomayol.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Targets

    • Target

      K98766700.exe

    • Size

      589KB

    • MD5

      e39c7cf026df55a909a7e18eea93b027

    • SHA1

      1a41eb5df90bcc53c0a80ce38fa99747de6eb237

    • SHA256

      b862fbe92f3de0e033b66e3c9d3afad4d6ff41d8b3553094f66a98db6ba59f0c

    • SHA512

      711c3fddc4aaa37afa6f1c11ff426edfe19ebfae6d955abd23699887d9cf5f31038c2812ac526190d3c7d4fa7a094117be45d75acc6b16fd80c1d13d2eb426f6

    • SSDEEP

      12288:zVAf8axZKrGhdYzjLKUxlyQs6U2+8sq6hcBy+QjnHYyFhqaX3ub:GZKrudYzjL/xp95b6RbCaX3ub

    Score
    10/10
    agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks