Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    DHL Original Documents.exe

  • Size

    1.5MB

  • Sample

    230214-w2ly2sef5x

  • MD5

    37db5181e973d4d7f9c44ff2a2b80f01

  • SHA1

    1e4d62ddeb63fb6402efa812c59ab3a787282d6f

  • SHA256

    27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904

  • SHA512

    2bad9e74c49d5715b5438c0facaa81493c167f3b311c9a1f1ce7d8f0ea70d1f09d0e49ebfa56cf220bc5bb4546f050875e0bb8e76bd680e226b74480835ec7a9

  • SSDEEP

    24576:+fFQddjdaB8OWqN0ujXGEJUuLp2avBh4kUaOY7zEGOmth0tgo5fnv/:+tiG8OjqujXx/LgavBSkUI7yuh0tgk/

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DHL Original Documents.exe

    • Size

      1.5MB

    • MD5

      37db5181e973d4d7f9c44ff2a2b80f01

    • SHA1

      1e4d62ddeb63fb6402efa812c59ab3a787282d6f

    • SHA256

      27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904

    • SHA512

      2bad9e74c49d5715b5438c0facaa81493c167f3b311c9a1f1ce7d8f0ea70d1f09d0e49ebfa56cf220bc5bb4546f050875e0bb8e76bd680e226b74480835ec7a9

    • SSDEEP

      24576:+fFQddjdaB8OWqN0ujXGEJUuLp2avBh4kUaOY7zEGOmth0tgo5fnv/:+tiG8OjqujXx/LgavBSkUI7yuh0tgk/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks