Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Quotes Specifications R2100131410_PDF.img

  • Size

    1.2MB

  • Sample

    230207-njlxbsbd33

  • MD5

    8d38ac89a1b7ce914f7a4fd69e4e5149

  • SHA1

    c2af2c2d95999d7ff894ba75d473874f41db311f

  • SHA256

    a48b89e4588185e7323c37169bedd210f6fa429c0344906ab4decd46e31e9dff

  • SHA512

    0058142987dcbf237d57ec2d3acee7de442684362c9f3b84176560b8dd2b4d4f221c7a538023c4ac2c3203d4b05ee343fd740db97fdb020a6e0e7de000ba3b0e

  • SSDEEP

    12288:GYXVBHN4C8x0ks0Ouuahj69YeeDtK0Y5tIv3:GYXVBL8uks0OuNj69beY0Yov3

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ravv.sk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bfE#vKaMi#

Targets

    • Target

      QUOTES_S.EXE

    • Size

      410KB

    • MD5

      d0f0167747de9e85ece81cef22a569d7

    • SHA1

      aeacddd1050c347e4ac27fdc65a2d7d5422c95e1

    • SHA256

      894ca1dfeebe51eb320bd38a7da02c17e1937477a44cd4e8cf008f7a44fa7c3e

    • SHA512

      90d58c5f8207d9bbf8a147edb6be2d0b4d676a34619d6e85736de3f5de938ee3fc7195883edfabfdec38f63ef03edce6faa0140a42a429e8fae3bb160543677f

    • SSDEEP

      12288:yYXVBHN4C8x0ks0Ouuahj69YeeDtK0Y5tIv3G:yYXVBL8uks0OuNj69beY0Yov3G

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks