Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    sydney.exe

  • Size

    632KB

  • Sample

    230414-wemxtsce21

  • MD5

    22f586f44c42f4391e56f4fa69a4a15f

  • SHA1

    e65b058c4e70cd00d589182aa3000f13985bd647

  • SHA256

    466fdb188d0606dc985d5fd8ff6510566d55741ed4874872a04473135ec2f9ce

  • SHA512

    e65ac28edd7dbadf65117c98ba342fabd4d005a34f807162181baabd9f0bb884c47be922853acf4fa514a1ba34bb192e8cd80548ad831561a44f9e326450ae92

  • SSDEEP

    12288:u52iNXuldrjZekhfaYZbgP2d0aahqEYfVNO/:c1FulhZeUf97pahUVN

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      sydney.exe

    • Size

      632KB

    • MD5

      22f586f44c42f4391e56f4fa69a4a15f

    • SHA1

      e65b058c4e70cd00d589182aa3000f13985bd647

    • SHA256

      466fdb188d0606dc985d5fd8ff6510566d55741ed4874872a04473135ec2f9ce

    • SHA512

      e65ac28edd7dbadf65117c98ba342fabd4d005a34f807162181baabd9f0bb884c47be922853acf4fa514a1ba34bb192e8cd80548ad831561a44f9e326450ae92

    • SSDEEP

      12288:u52iNXuldrjZekhfaYZbgP2d0aahqEYfVNO/:c1FulhZeUf97pahUVN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks