Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae

  • Size

    514KB

  • Sample

    230306-dfmpcaad48

  • MD5

    81171a0c4fbe80b5f7bc9d41ee97b753

  • SHA1

    0b7584836b43afad22e8e863b2827e7be6b27a1b

  • SHA256

    36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae

  • SHA512

    abd290679554d99e221398588e43bb78d6e7aaa03a201a008614572298c25e3066b775ffc8871533a4299c1e2594b4c9748b168ea15804908908d48cfc224812

  • SSDEEP

    12288:qYi8LodU2EEA7Znkj/tiDsJhDbCbQbJTvIN6:qYioh2Eoj/I4zIN6

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6277254729:AAH9hHYZNSDZac0nNvgmchkZF8WVRKU5dJ0/

Targets

    • Target

      36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae

    • Size

      514KB

    • MD5

      81171a0c4fbe80b5f7bc9d41ee97b753

    • SHA1

      0b7584836b43afad22e8e863b2827e7be6b27a1b

    • SHA256

      36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae

    • SHA512

      abd290679554d99e221398588e43bb78d6e7aaa03a201a008614572298c25e3066b775ffc8871533a4299c1e2594b4c9748b168ea15804908908d48cfc224812

    • SSDEEP

      12288:qYi8LodU2EEA7Znkj/tiDsJhDbCbQbJTvIN6:qYioh2Eoj/I4zIN6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks