Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ZAMOWIEN.EXE.exe

windows7-x64

10

ZAMOWIEN.EXE.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ZAMOWIEN.EXE.exe

  • Size

    1.4MB

  • Sample

    250326-jkweyaspz6

  • MD5

    bb8ebb7e2951662ced5e2f65684155b5

  • SHA1

    4da55f17a8425484b999e3eceac42fd4882aea59

  • SHA256

    89e85fa592b8da5c4b6538ff706e875b7a8bb5d48ab74dbd0a0fbd953eb954b0

  • SHA512

    189981b9e9ef1232abf5990c880338eed2ced9589eec5fae3d3d534b1dedbf49dc086937607e85204d1dd71d48984608cf0e231e88a227d46fb9917498161679

  • SSDEEP

    24576:EuMVWyZ20itWf6QKP28rNaoA3loPwtJhUADiiB2Lln/bsOgAdjv0LZi:EuMQm2fCbEA3GPsPUGIngABvK

Score
10/10
agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

    • Target

      ZAMOWIEN.EXE.exe

    • Size

      1.4MB

    • MD5

      bb8ebb7e2951662ced5e2f65684155b5

    • SHA1

      4da55f17a8425484b999e3eceac42fd4882aea59

    • SHA256

      89e85fa592b8da5c4b6538ff706e875b7a8bb5d48ab74dbd0a0fbd953eb954b0

    • SHA512

      189981b9e9ef1232abf5990c880338eed2ced9589eec5fae3d3d534b1dedbf49dc086937607e85204d1dd71d48984608cf0e231e88a227d46fb9917498161679

    • SSDEEP

      24576:EuMVWyZ20itWf6QKP28rNaoA3loPwtJhUADiiB2Lln/bsOgAdjv0LZi:EuMQm2fCbEA3GPsPUGIngABvK

    Score
    10/10
    agentteslaguloaderdiscoverydownloaderkeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      12b140583e3273ee1f65016becea58c4

    • SHA1

      92df24d11797fefd2e1f8d29be9dfd67c56c1ada

    • SHA256

      014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

    • SHA512

      49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

    • SSDEEP

      192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks