Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    SOA.zip

  • Size

    568KB

  • Sample

    230605-tmekbahe57

  • MD5

    f95bb735cd2eca12600e5028c4789431

  • SHA1

    f8e7dbb3b5cf6305b70afadc21f4c0b05180387a

  • SHA256

    253e013f09f3d37c211355f9ec3d86eec58f143e80b133835a8d679f46428702

  • SHA512

    8b8f0c7da521b1970f648391262ecc364a34cf586be1ad99818d3e033d471c30fdbe0b4701785fa9544d4f34dc5c15a173357b93d13d8391af962ab684d827df

  • SSDEEP

    12288:40HUKjwNFAlbB4hSDz7WMhbqsi6LNiCbWpo1bwIiFKXhTVhMeP:42UKjw4UhSDz7WMRdLNzv3vhhhMeP

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5814058627:AAFjPgERfyp3AZJXAfISMezajcw2VR_A_9U/

Targets

    • Target

      SOA.exe

    • Size

      608KB

    • MD5

      9679de6d9acd068c7f902760f73fbd20

    • SHA1

      1aef17bc39349726e31cdf77395b1b420c2417a4

    • SHA256

      93b2e11e63c3e38bd7d2fc22514d2ae970e35ee23bd9fd829a75d25df3794dd8

    • SHA512

      87ce2b5d5104f85dc28826de45111e56fe08113e49906a99ca97f8b67bb4119db347d03646d11ebdc6b5a5857c68fa0fb0fd3f5a7d3a78e9a4b4825295d22c25

    • SSDEEP

      12288:92N8jiZ4zypIPvtPplTY6RhKuQAtb54gWMhSosI6LN4CHUTBiFRIIk1KxtTSPS:92N8jiZ4zypIPvJTDE6AgWMQ9LNC9iFs

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks