Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exe

  • Size

    750KB

  • Sample

    221129-e25mqahf5w

  • MD5

    46a7a058edfa81f6532fac581d21480d

  • SHA1

    00a6651203b712edeb00595baa133db111a4ec06

  • SHA256

    458fefa707435c36315bf410b3318c34a83da7e4bb2429986ba4ab95986d9d11

  • SHA512

    cd25eb2833f17898c283470afceceed5d90c0162d1604fe0d2ff34a60327f6b5717860549ea5e03cd5fe999d85a9b8a6ae1ec37b2b727afc36d8d31b2bf35fd3

  • SSDEEP

    12288:VTjRZRHxnkNhCz9g2vv9DZQysVK3Ls05CukBP2FvEkarbmPog:VTBRC49g2nJZ8VKbVouUP2Fv4g

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.dana-world.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    communication$dongle&1132

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.dana-world.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    communication$dongle&1132

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.25304.17510.exe

    • Size

      750KB

    • MD5

      46a7a058edfa81f6532fac581d21480d

    • SHA1

      00a6651203b712edeb00595baa133db111a4ec06

    • SHA256

      458fefa707435c36315bf410b3318c34a83da7e4bb2429986ba4ab95986d9d11

    • SHA512

      cd25eb2833f17898c283470afceceed5d90c0162d1604fe0d2ff34a60327f6b5717860549ea5e03cd5fe999d85a9b8a6ae1ec37b2b727afc36d8d31b2bf35fd3

    • SSDEEP

      12288:VTjRZRHxnkNhCz9g2vv9DZQysVK3Ls05CukBP2FvEkarbmPog:VTBRC49g2nJZ8VKbVouUP2Fv4g

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks