Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    swift-04172023.doc

  • Size

    27KB

  • Sample

    230420-ngklgshe42

  • MD5

    1cf063099adda44ae796e1abbdc0c4b6

  • SHA1

    8d5091defe3bf7431e357079da14640a237716ec

  • SHA256

    c086a5bf6d7f4586a1c1f03d6228efafe36e769910c60e01aa9b4fb63ba3f588

  • SHA512

    3e2f8cdfa529df7e7541dd11147ab9c78b9f05f0f5faa582ec9cc915c404e15151f27133af7785548638ff633c51a1bbc872be030bb8e3a152cf2323c593846a

  • SSDEEP

    768:eFx0XaIsnPRIa4fwJMQF+by2nujzhfj5xzt+u:ef0Xvx3EMNXn6XJf

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Targets

    • Target

      swift-04172023.doc

    • Size

      27KB

    • MD5

      1cf063099adda44ae796e1abbdc0c4b6

    • SHA1

      8d5091defe3bf7431e357079da14640a237716ec

    • SHA256

      c086a5bf6d7f4586a1c1f03d6228efafe36e769910c60e01aa9b4fb63ba3f588

    • SHA512

      3e2f8cdfa529df7e7541dd11147ab9c78b9f05f0f5faa582ec9cc915c404e15151f27133af7785548638ff633c51a1bbc872be030bb8e3a152cf2323c593846a

    • SSDEEP

      768:eFx0XaIsnPRIa4fwJMQF+by2nujzhfj5xzt+u:ef0Xvx3EMNXn6XJf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks