Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    tmp

  • Size

    349KB

  • Sample

    230403-1jlmsaeb66

  • MD5

    a654157ddac012ade8be11d6b45a5dfb

  • SHA1

    3aadefbff659c039584cfaa97db81ba306cba393

  • SHA256

    34345f68afe6a10cb29415ba265f68f1a5d61c3a79a01e54be6c43e16aa0ce73

  • SHA512

    61898d8256f5392f070266e9c5dc5ec1b036d4f98100a433c67e93ba82da19d9217ee5ab8e8eb8f5b1bd8db659337f1541e921678776540ee0551dc37448ece0

  • SSDEEP

    6144:wYa6CBpOx4SUugmdy95/d5e3iHBiGWkUdUnvJP9pGni90V:wY4Sx4SUfh/3eyHBIZ+pOi9o

Malware Config

Targets

    • Target

      tmp

    • Size

      349KB

    • MD5

      a654157ddac012ade8be11d6b45a5dfb

    • SHA1

      3aadefbff659c039584cfaa97db81ba306cba393

    • SHA256

      34345f68afe6a10cb29415ba265f68f1a5d61c3a79a01e54be6c43e16aa0ce73

    • SHA512

      61898d8256f5392f070266e9c5dc5ec1b036d4f98100a433c67e93ba82da19d9217ee5ab8e8eb8f5b1bd8db659337f1541e921678776540ee0551dc37448ece0

    • SSDEEP

      6144:wYa6CBpOx4SUugmdy95/d5e3iHBiGWkUdUnvJP9pGni90V:wY4Sx4SUfh/3eyHBIZ+pOi9o

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks