Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PO-1607201158 --- NAXILAI.zip

  • Size

    552KB

  • Sample

    221217-ngkw9age94

  • MD5

    37984cec28f549af24029cbf8be51873

  • SHA1

    1777aae023c251ab0fa54c4f773ce7f8d8b08057

  • SHA256

    3ddde48f233953cfe9064930012c4ab90d90439291fa093b08ee16c06e6eb966

  • SHA512

    259f7dfdf5651e621607f2d373c29570fc73d5096ec032bd7ce9e87433e6173d838fae2e9db04a8b3120842972323c9710487ef2f89d8ac1446290ed94e21f8f

  • SSDEEP

    12288:6jUGLG9yelqiE7UB5/gAXZ1I6c1u2GHDiy+U6xo1C6Dv:6NgAh7UBNgt92Diy+Uio1L

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @@Marriedj8OQWinbi1

Targets

    • Target

      PO-1607201158 --- NAXILAI.exe

    • Size

      599KB

    • MD5

      344e038bc93ae48700830b37b78beb36

    • SHA1

      d994820625144db20ad0ff08abf3ede71b6232fa

    • SHA256

      747e7e2681dcb1663759b915ce6a656d40954127343aff9fade05be78d3d99df

    • SHA512

      aede41fd50dfb8169f05b6bd8d168d727db52bdfefc9da38f83bea07d6c29a02e2cf7dff1d7e50a39ee7a960eeabc0f3fddb7ee4c5da927cb429f373bda18610

    • SSDEEP

      12288:b5kWP9tuelkielUBb3gsXZ1I6k1Y2kvARw+y6xu:beCC7lUBrgbVzRw+yi

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks