Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ec5d71e7c6115d86ae29ce20489752e8.bin

  • Size

    647KB

  • Sample

    230519-cgtzdadd7t

  • MD5

    0bb9fb9809eee9d57e8ddea2cf19fc68

  • SHA1

    0735df2484eda0c6f2ade3b3c37f021014e52be0

  • SHA256

    73ec879f9161b45afd68037c1d9509e6eeaf8e285ec301dc80ad51117830500f

  • SHA512

    df1cf5481515fbb5cbc1b6cc0e8834974a54a03445e337dfcd3787d6bb86434c5ccd8a5178d176ca3750690ff467232d84495a749ed45fde98dd85f3c893b93d

  • SSDEEP

    12288:1wlteL9KD4oL3wYJti8/sjbBTaeF+0EIKp5som6zqn+3KWfuy8A1:ateLgD4S9m0sjEeQnxGn+n58A1

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6190932047:AAFAXC_q-J_1tPTmmiqndMdlZipgoGT2Ypo/

Targets

    • Target

      0q7qlsLVl1SQrvh.exe

    • Size

      873KB

    • MD5

      61ca94837222b35a82863294601c3769

    • SHA1

      5a180a46e32bd2b932ba5e490d5c58b4190111d1

    • SHA256

      271d3e8dfec86cdeb02be2c1d29e4717dae69d8edfb088bdf67b3da85fbacf30

    • SHA512

      62d0fe18660e68b1e506e7bf3dcf412b6306d57cbd164f1b8211ff5d526738105bed297f7012379abb1183dc7c3bedcd7f6fa2864daeebf0a4f7bc6103198db7

    • SSDEEP

      24576:b1Bs0qZ491FSKmpt2Mk4OEXO6RTfn/uFfC:bDs0qZwoKm9kYHTfnWF6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks