Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PO#7A68D20.exe

  • Size

    836KB

  • Sample

    230416-pav93saa97

  • MD5

    b1e8f872bb44b3374f9316e7a0c92a33

  • SHA1

    948a5abbae5d5a92e32b8cd3bd94aaa6d8194d97

  • SHA256

    dda4f1a46d2cdb061159193b085f33cdade6e69c1d25b1fb41dfabbc1f84c5fb

  • SHA512

    58dfde3efdd97f54f64f8eebf55b46a537f6e7e312cbbffda1eb1649a8134a4047d93166345bdc1f33b8d1e14c76c30ec27282a5ffd51cf408fc8a229de93044

  • SSDEEP

    12288:QyrEFmaPEQ3OSuzqHu2XN7NzLEjTfBRfQlTIq0tvIW2e8i2Z:QJMU7NzLEvfBRYCIW242Z

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PO#7A68D20.exe

    • Size

      836KB

    • MD5

      b1e8f872bb44b3374f9316e7a0c92a33

    • SHA1

      948a5abbae5d5a92e32b8cd3bd94aaa6d8194d97

    • SHA256

      dda4f1a46d2cdb061159193b085f33cdade6e69c1d25b1fb41dfabbc1f84c5fb

    • SHA512

      58dfde3efdd97f54f64f8eebf55b46a537f6e7e312cbbffda1eb1649a8134a4047d93166345bdc1f33b8d1e14c76c30ec27282a5ffd51cf408fc8a229de93044

    • SSDEEP

      12288:QyrEFmaPEQ3OSuzqHu2XN7NzLEjTfBRfQlTIq0tvIW2e8i2Z:QJMU7NzLEvfBRYCIW242Z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks