Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

FACTURA-09...at.exe

windows7-x64

10

FACTURA-09...at.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 07:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FACTURA-098767k.bat.exe

  • Size

    2.6MB

  • MD5

    98e00105d9bdeb0c10a0987cb657b0b9

  • SHA1

    f5cb6141dc4eafa33aa03c5a2e2a9dd19af576b0

  • SHA256

    7cfd9f48da9d60e61380a3bf7b4bdde5a03817a7d95bfd9f84c228a2e313fab8

  • SHA512

    a7c27c4fc8b8a81d94172ae7199c42b7e6137f8e7c4cc7396042e927c35e47f65564968cc951a011ec9e5b73def8f622ed59d8f978ef973962ff579adcf56e1c

  • SSDEEP

    6144:6lEwrBTf7qi2dFXtYpJqCZ+Ub5nJnYa8kWZc3m9tJLK5E2XlXszMBug7Osngx2qY:ZSdtUFXtiP8oZUq7Gtg7vnml6

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    johnson@antoniomayol.com
  • Password:
    cMhKDQUk1{;%

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FACTURA-098767k.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\FACTURA-098767k.bat.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2808
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3016

    Network

    • flag-us
      DNS
      ip-api.com
      installutil.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/line/?fields=hosting
      installutil.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line/?fields=hosting HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 17 Jan 2025 07:58:12 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 6
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • 208.95.112.1:80
      http://ip-api.com/line/?fields=hosting
      http
      installutil.exe
      310 B
       347 B
       5
      4

      HTTP Request

      GET http://ip-api.com/line/?fields=hosting

      HTTP Response

      200
    • 8.8.8.8:53
      ip-api.com
      dns
      installutil.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3016-1-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3016-3-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3016-5-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/3016-6-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3016-7-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3016-8-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3016-9-0x0000000074E80000-0x000000007556E000-memory.dmp

      Filesize

      6.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.