Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7458f31fbf...48.exe

windows7-x64

10

7458f31fbf...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 01:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe

  • Size

    1.5MB

  • MD5

    4212dd2aaf1b4a9676b27d280273db44

  • SHA1

    41dca2b1f0a2450e773ea98f1427e5fd78905fb5

  • SHA256

    7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848

  • SHA512

    bfd88210e6103b1ddb89900bb6baa74d3a76c43b2510bd541d932f6808fdcad77cdcf12a1475a1b47a32359166c17e8c9c62d32f986e9fc21aa290456a3dcaf2

  • SSDEEP

    24576:y/FH/8izXYKTjkr1CrMGy+mGQOsXv1RIAhjLoamMiX4lNmZg0YxegPbUIDPP:y/FH/8yXYKyRSmGEjLoyEkmZ9Y14

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.alumisr.com
  • Port:
    587
  • Username:
    sales@alumisr.com
  • Password:
    *Eg_alpr_SL@77*79#

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.alumisr.com
  • Port:
    587
  • Username:
    sales@alumisr.com
  • Password:
    *Eg_alpr_SL@77*79#
  • Email To:
    sarah_borte.com.cn@dr.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
    "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
      "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
      2⤵
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
        "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
        2⤵
          PID:2100
        • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
          "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4948

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        167.173.78.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        167.173.78.104.in-addr.arpa
        IN PTR
        Response
        167.173.78.104.in-addr.arpa
        IN PTR
        a104-78-173-167deploystaticakamaitechnologiescom
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        53.210.109.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        53.210.109.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        mail.alumisr.com
        7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
        Remote address:
        8.8.8.8:53
        Request
        mail.alumisr.com
        IN A
        Response
        mail.alumisr.com
        IN A
        162.241.244.121
      • flag-us
        DNS
        121.244.241.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        121.244.241.162.in-addr.arpa
        IN PTR
        Response
        121.244.241.162.in-addr.arpa
        IN PTR
        box5137bluehostcom
      • flag-us
        DNS
        85.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        85.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.236.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.236.111.52.in-addr.arpa
        IN PTR
        Response
      • 162.241.244.121:587
        mail.alumisr.com
        smtp-submission
        7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
        2.0kB
         4.9kB
         18
        20
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        167.173.78.104.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        167.173.78.104.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        53.210.109.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        53.210.109.20.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        mail.alumisr.com
        dns
        7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
        62 B
         78 B
         1
        1

        DNS Request

        mail.alumisr.com

        DNS Response

        162.241.244.121

      • 8.8.8.8:53
        121.244.241.162.in-addr.arpa
        dns
        74 B
         108 B
         1
        1

        DNS Request

        121.244.241.162.in-addr.arpa

      • 8.8.8.8:53
        85.49.80.91.in-addr.arpa
        dns
        70 B
         145 B
         1
        1

        DNS Request

        85.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        23.236.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        23.236.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4792-12-0x000000000ACE0000-0x000000000AD7C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4792-6-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4792-2-0x0000000005CD0000-0x0000000006274000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4792-3-0x00000000057C0000-0x0000000005852000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4792-4-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-5-0x0000000005860000-0x000000000586A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4792-11-0x00000000051B0000-0x0000000005232000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4792-7-0x00000000752EE000-0x00000000752EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4792-8-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-9-0x000000000AA30000-0x000000000AA3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4792-1-0x0000000000C40000-0x0000000000DC0000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4792-10-0x000000000AA40000-0x000000000AA8C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4792-16-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-13-0x000000000AE30000-0x000000000AE96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4792-14-0x000000000AC80000-0x000000000ACBA000-memory.dmp

        Filesize

        232KB

        Download

      • memory/4792-19-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-0-0x00000000752EE000-0x00000000752EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4948-18-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4948-15-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/4948-20-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4948-21-0x00000000052E0000-0x00000000052F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4948-22-0x00000000067D0000-0x0000000006820000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4948-23-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4948-24-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.