Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1808-74-0x0000000000400000-0x000000000043F000-memory.dmp

  • Size

    252KB

  • Sample

    230502-phpghaba57

  • MD5

    8bbab7418675d72363d03ae209dad5cb

  • SHA1

    09b417d68a4dc7bc8463740f89f14e7dc0c76c43

  • SHA256

    b6f696764f50b5fddc8204a9b35053da3a097dc54cf8e740635e042bbee0419c

  • SHA512

    6a5073a5beaa0f64876bb4f0f2de1a81a09d3b73114673866f817fe2b29a100fa72f58dfcc3f67339b8b1e503a99c9789c37e0800c88cf75c01f380270acfb0f

  • SSDEEP

    3072:DefNOSBdA1t90TAaZWm3mG9KRrpU2uTBhlVqUjfwye+POmW++no//M:ZSqzWV2J22WBjVRzNDOTN

Malware Config

Targets

    • Target

      1808-74-0x0000000000400000-0x000000000043F000-memory.dmp

    • Size

      252KB

    • MD5

      8bbab7418675d72363d03ae209dad5cb

    • SHA1

      09b417d68a4dc7bc8463740f89f14e7dc0c76c43

    • SHA256

      b6f696764f50b5fddc8204a9b35053da3a097dc54cf8e740635e042bbee0419c

    • SHA512

      6a5073a5beaa0f64876bb4f0f2de1a81a09d3b73114673866f817fe2b29a100fa72f58dfcc3f67339b8b1e503a99c9789c37e0800c88cf75c01f380270acfb0f

    • SSDEEP

      3072:DefNOSBdA1t90TAaZWm3mG9KRrpU2uTBhlVqUjfwye+POmW++no//M:ZSqzWV2J22WBjVRzNDOTN

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks