Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

caf4b10a21...1b.exe

windows7-x64

7

caf4b10a21...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 01:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe

  • Size

    51KB

  • MD5

    b590cc8881bf3f255800f14cedd0dd57

  • SHA1

    19eb6694c13c1ad1be23d7425c2500c59090f30b

  • SHA256

    caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b

  • SHA512

    2a90a4ffb48a975d6c061cf618a23753f2b26082bb27e80567c09d16d1e87d104fe87ba0f18110ffe23858d758f689e62c155d8926ab824d644050d04621c233

  • SSDEEP

    384:DQc7UaUMrg7ilYqCndq5I16MjSj67WBTk0BthfifTZ2GShq6ki2lKxiIiW1sQS+1:EEDrgsCKc0Bvfr7F2zInyQS+ST6nkC1

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    162.254.34.31
  • Port:
    587
  • Username:
    sendxhaiti@vetrys.shop
  • Password:
    6RLYuUCIH8hN
  • Email To:
    haiti@vetrys.shop

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3568
      • C:\Users\Admin\AppData\Local\Temp\caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
        "C:\Users\Admin\AppData\Local\Temp\caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:684
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548

    Network

    • flag-us
      DNS
      oshi.at
      caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
      Remote address:
      8.8.8.8:53
      Request
      oshi.at
      IN A
      Response
      oshi.at
      IN A
      194.15.112.248
    • flag-cz
      GET
      https://oshi.at/PApJ
      caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
      Remote address:
      194.15.112.248:443
      Request
      GET /PApJ HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
      Host: oshi.at
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 24 Jan 2025 01:20:30 GMT
      Content-Type: application/octet-stream
      Content-Length: 1096200
      Connection: keep-alive
      Accept-Ranges: bytes
      Last-Modified: Mon, 20 Jan 2025 09:30:54 GMT
      Content-Disposition: attachment; filename=eEAF.wav
      ETag: "2c2595874456a38cb906288e62292af2"
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      145.136.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      145.136.73.23.in-addr.arpa
      IN PTR
      Response
      145.136.73.23.in-addr.arpa
      IN PTR
      a23-73-136-145deploystaticakamaitechnologiescom
    • flag-us
      DNS
      248.112.15.194.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      248.112.15.194.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      203.109.54.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.109.54.23.in-addr.arpa
      IN PTR
      Response
      203.109.54.23.in-addr.arpa
      IN PTR
      a23-54-109-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      api.ipify.org
      InstallUtil.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      104.26.12.205
      api.ipify.org
      IN A
      104.26.13.205
      api.ipify.org
      IN A
      172.67.74.152
    • flag-us
      GET
      https://api.ipify.org/
      InstallUtil.exe
      Remote address:
      104.26.12.205:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 24 Jan 2025 01:20:39 GMT
      Content-Type: text/plain
      Content-Length: 14
      Connection: keep-alive
      Vary: Origin
      cf-cache-status: DYNAMIC
      Server: cloudflare
      CF-RAY: 906c33c57d51e8fa-LHR
      server-timing: cfL4;desc="?proto=TCP&rtt=48849&min_rtt=46933&rtt_var=13331&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2980&recv_bytes=452&delivery_rate=77301&cwnd=253&unsent_bytes=0&cid=6e50e11ddcbcd37b&ts=190&x=0"
    • flag-us
      DNS
      205.12.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.12.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.139.73.23.in-addr.arpa
      IN PTR
      Response
      24.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-24deploystaticakamaitechnologiescom
    • flag-us
      DNS
      138.136.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      138.136.73.23.in-addr.arpa
      IN PTR
      Response
      138.136.73.23.in-addr.arpa
      IN PTR
      a23-73-136-138deploystaticakamaitechnologiescom
    • 194.15.112.248:443
      https://oshi.at/PApJ
      tls, http
      caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
      20.2kB
       1.1MB
       427
      826

      HTTP Request

      GET https://oshi.at/PApJ

      HTTP Response

      200
    • 104.26.12.205:443
      https://api.ipify.org/
      tls, http
      InstallUtil.exe
      854 B
       3.8kB
       9
      9

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 8.8.8.8:53
      oshi.at
      dns
      caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
      53 B
       69 B
       1
      1

      DNS Request

      oshi.at

      DNS Response

      194.15.112.248

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      145.136.73.23.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      145.136.73.23.in-addr.arpa

    • 8.8.8.8:53
      248.112.15.194.in-addr.arpa
      dns
      73 B
       141 B
       1
      1

      DNS Request

      248.112.15.194.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      203.109.54.23.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      203.109.54.23.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      InstallUtil.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.26.12.205
      104.26.13.205
      172.67.74.152

    • 8.8.8.8:53
      205.12.26.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      205.12.26.104.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      24.139.73.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      24.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      138.136.73.23.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      138.136.73.23.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/684-0-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/684-1-0x0000000000D70000-0x0000000000D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/684-2-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/684-3-0x00000000069E0000-0x0000000006AF2000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/684-4-0x00000000070A0000-0x0000000007644000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/684-5-0x0000000006BB0000-0x0000000006C42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/684-17-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-15-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-7-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-6-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-21-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-67-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-69-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-65-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-63-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-61-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-59-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-57-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-53-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-51-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-49-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-45-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-43-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-41-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-39-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-37-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-35-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-33-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-55-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-47-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-31-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-29-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-25-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-23-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-19-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-13-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-11-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-9-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-27-0x00000000069E0000-0x0000000006AEC000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/684-1328-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/684-1329-0x0000000006CB0000-0x0000000006D1C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/684-1330-0x0000000006D80000-0x0000000006DEA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/684-1331-0x0000000006F80000-0x0000000006FCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/684-1332-0x0000000006FF0000-0x0000000007044000-memory.dmp

      Filesize

      336KB

      Download

    • memory/684-1339-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/684-1336-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/684-1344-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/684-1342-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/684-1341-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/684-1345-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2548-1346-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2548-1347-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2548-1348-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2548-1349-0x00000000054C0000-0x0000000005526000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2548-1350-0x00000000068D0000-0x0000000006920000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2548-1351-0x0000000006940000-0x000000000694A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2548-1352-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.