Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    771a4f1bed87b5336b188cfb31c5c200.bin

  • Size

    711KB

  • Sample

    230325-bzlv2sae24

  • MD5

    0277dfad24ef08cffdc8990b6436b114

  • SHA1

    919a15ebc29178387d69e96d7554e5c7ed7a18d9

  • SHA256

    f6342898baf831714973ff440665f1faa69a03d62b99739603385baf90ac872c

  • SHA512

    1412315c182e79dc0cdc495fea2207681544332e87c0f99063375d170fac20b83415cb3d84e6e1cbd61d398e0c240c7dc1ff8e4a3e166f34701a28bdd49d1e20

  • SSDEEP

    12288:fc78Gc2xxKaEK6jkyQX7RRpjiSmVHNVkb0NzDmWqdjYnypRBTt1OCpmHZVay9IDA:E7c2xx4ljSRRpkTVqGzDm3djYnypeC85

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1749457201:AAGWIY2QPzrHZIumAIUsWjyRAEWcJrauccY/

Targets

    • Target

      b608ae4e41f90a368ec3b9d29346c01a0322f6b7d8e96334070240fbbeba2c70.exe

    • Size

      808KB

    • MD5

      771a4f1bed87b5336b188cfb31c5c200

    • SHA1

      e54c44c009fb78e3cb053af5bee0a728fcf4dcb3

    • SHA256

      b608ae4e41f90a368ec3b9d29346c01a0322f6b7d8e96334070240fbbeba2c70

    • SHA512

      12fdbe85217e2174db08139ae46f8dc3761c835d14458d4ef11e56341f0541b1d464ef9ac3fb2fc533b2980d28c26dbcdf38d559d26fb791c4d5480de2796049

    • SSDEEP

      12288:Ag5Zwdbch9SgZWoXylevNyZeAC9aSyBZOYNsg0aTAHru5iMHixKCrYrE:AeZGbch9/Eo1Vy4794BZODg6Hs9iMCc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks