Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2b1c8e2859...0d.exe

windows7-x64

10

2b1c8e2859...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/12/2024, 02:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe

  • Size

    941KB

  • MD5

    42555dbdcc01fddb6e68265cc5704b5b

  • SHA1

    543e5153ad0bc094841e40330567ac8e9abb2d48

  • SHA256

    2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d

  • SHA512

    027029b37e79edf8f5156e6d651c5aca4608a6ccad14eac33c32a0c92b4814f43c59ae1f46fba454d21af6d5de9fcbd8f6a6b99bd4db2c7d19915adf9416107f

  • SSDEEP

    12288:I2dhHhAIqUmkY/Tz9P+okSieKdNBJrC2lZNYheNhlK:5dhBArUmxrBP+BSGdC2lQeFK

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    belogs@beirutrest.com
  • Password:
    9yXQ39wz(uL+

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
    "C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
      "C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe"
      2⤵
        PID:2280
      • C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        "C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe"
        2⤵
          PID:964
        • C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
          "C:\Users\Admin\AppData\Local\Temp\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:940

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        83.210.23.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        83.210.23.2.in-addr.arpa
        IN PTR
        Response
        83.210.23.2.in-addr.arpa
        IN PTR
        a2-23-210-83deploystaticakamaitechnologiescom
      • flag-us
        DNS
        0.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        api.ipify.org
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        Remote address:
        8.8.8.8:53
        Request
        api.ipify.org
        IN A
        Response
        api.ipify.org
        IN A
        172.67.74.152
        api.ipify.org
        IN A
        104.26.12.205
        api.ipify.org
        IN A
        104.26.13.205
      • flag-us
        GET
        https://api.ipify.org/
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        Remote address:
        172.67.74.152:443
        Request
        GET / HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
        Host: api.ipify.org
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Tue, 17 Dec 2024 02:31:55 GMT
        Content-Type: text/plain
        Content-Length: 14
        Connection: keep-alive
        Vary: Origin
        cf-cache-status: DYNAMIC
        Server: cloudflare
        CF-RAY: 8f337fea0992eefd-LHR
        server-timing: cfL4;desc="?proto=TCP&rtt=48448&min_rtt=46832&rtt_var=20795&sent=7&recv=6&lost=0&retrans=1&sent_bytes=2990&recv_bytes=452&delivery_rate=35794&cwnd=240&unsent_bytes=0&cid=3783e07af2233497&ts=461&x=0"
      • flag-us
        DNS
        152.74.67.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        152.74.67.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        beirutrest.com
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        Remote address:
        8.8.8.8:53
        Request
        beirutrest.com
        IN A
        Response
        beirutrest.com
        IN A
        50.87.144.157
      • flag-us
        DNS
        157.144.87.50.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.144.87.50.in-addr.arpa
        IN PTR
        Response
        157.144.87.50.in-addr.arpa
        IN PTR
        gator3122 hostgatorcom
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        92.12.20.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        92.12.20.2.in-addr.arpa
        IN PTR
        Response
        92.12.20.2.in-addr.arpa
        IN PTR
        a2-20-12-92deploystaticakamaitechnologiescom
      • flag-us
        DNS
        20.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        20.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      • 172.67.74.152:443
        https://api.ipify.org/
        tls, http
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        1.0kB
         3.9kB
         11
        10

        HTTP Request

        GET https://api.ipify.org/

        HTTP Response

        200
      • 50.87.144.157:21
        beirutrest.com
        ftp
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        646 B
         1.1kB
         12
        13
      • 50.87.144.157:30797
        beirutrest.com
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        1.0kB
         132 B
         5
        3
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        83.210.23.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        83.210.23.2.in-addr.arpa

      • 8.8.8.8:53
        0.159.190.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        0.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        api.ipify.org
        dns
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        59 B
         107 B
         1
        1

        DNS Request

        api.ipify.org

        DNS Response

        172.67.74.152
        104.26.12.205
        104.26.13.205

      • 8.8.8.8:53
        152.74.67.172.in-addr.arpa
        dns
        72 B
         134 B
         1
        1

        DNS Request

        152.74.67.172.in-addr.arpa

      • 8.8.8.8:53
        beirutrest.com
        dns
        2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe
        60 B
         76 B
         1
        1

        DNS Request

        beirutrest.com

        DNS Response

        50.87.144.157

      • 8.8.8.8:53
        157.144.87.50.in-addr.arpa
        dns
        72 B
         109 B
         1
        1

        DNS Request

        157.144.87.50.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        92.12.20.2.in-addr.arpa
        dns
        69 B
         131 B
         1
        1

        DNS Request

        92.12.20.2.in-addr.arpa

      • 8.8.8.8:53
        20.49.80.91.in-addr.arpa
        dns
        70 B
         145 B
         1
        1

        DNS Request

        20.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2b1c8e28590c81630fe3c284857734161139c1998cdd28e899cd1049bf5fff0d.exe.log
        Filesize

        1KB

        MD5

        8ec831f3e3a3f77e4a7b9cd32b48384c

        SHA1

        d83f09fd87c5bd86e045873c231c14836e76a05c

        SHA256

        7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

        SHA512

        26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2uaojbbb.dnc.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/940-11-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/940-61-0x0000000007060000-0x00000000070B0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/940-18-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/940-19-0x0000000005860000-0x00000000058C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/940-62-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/940-63-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/940-14-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1172-5-0x0000000005230000-0x000000000523A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1172-10-0x000000000AB60000-0x000000000ABFC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1172-9-0x0000000008370000-0x00000000083F6000-memory.dmp

        Filesize

        536KB

        Download

      • memory/1172-8-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1172-7-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1172-15-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1172-6-0x00000000055C0000-0x00000000055DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1172-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1172-4-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1172-3-0x0000000005290000-0x0000000005322000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1172-2-0x0000000005840000-0x0000000005DE4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1172-1-0x0000000000870000-0x0000000000962000-memory.dmp

        Filesize

        968KB

        Download

      • memory/1204-23-0x0000000004F80000-0x0000000004FE6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1204-50-0x0000000007150000-0x000000000716A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1204-21-0x0000000005060000-0x0000000005688000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1204-33-0x0000000005870000-0x0000000005BC4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1204-34-0x0000000005E20000-0x0000000005E3E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1204-35-0x0000000005F00000-0x0000000005F4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1204-36-0x00000000063F0000-0x0000000006422000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1204-37-0x0000000070830000-0x000000007087C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1204-47-0x0000000006430000-0x000000000644E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1204-48-0x0000000006E30000-0x0000000006ED3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/1204-49-0x0000000007790000-0x0000000007E0A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1204-22-0x0000000004E60000-0x0000000004E82000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1204-51-0x00000000071C0000-0x00000000071CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1204-52-0x00000000073D0000-0x0000000007466000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1204-53-0x0000000007350000-0x0000000007361000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1204-54-0x0000000007380000-0x000000000738E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1204-55-0x0000000007390000-0x00000000073A4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1204-56-0x0000000007490000-0x00000000074AA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1204-57-0x0000000007470000-0x0000000007478000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1204-60-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1204-20-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1204-17-0x0000000074BB0000-0x0000000075360000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1204-16-0x00000000024F0000-0x0000000002526000-memory.dmp

        Filesize

        216KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.