Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    New Order PO Pdf.arj

  • Size

    660KB

  • Sample

    230616-lfmy4sdh6y

  • MD5

    e360017c7ef7884d60644094d06663e2

  • SHA1

    497346005f20fd716e2fde43083bfe603376cb64

  • SHA256

    01d0240ca8e6371275850138ef58bb6cb4531d5ddcf37ca60e143a9c17ffcd2c

  • SHA512

    3660fa6db7af2bad460a80185a7d2ea9890fbac62e2c1ea4138538d0634267da933c3382481c57802e5fe9581c3a325cd52e61e277c90b5f1ff373f3e38ea459

  • SSDEEP

    12288:HBUDsfApPQ5fyjrg8le0yZbUSy4kXN0k4XUdLOs8RScwZmnMP/:HcsfApPC4k8le00USyjidXUgS5Z3/

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      New Order PO Pdf.exe

    • Size

      782KB

    • MD5

      ada2688229273cf4c6f7a99b754c30bf

    • SHA1

      3203a1df97391b8724fbb3358dac82612037d2bf

    • SHA256

      d7abd39aef9b875bc280512418843d56e027212adfd34c36d7d20203168b8bad

    • SHA512

      0d691a6144995f507cfa989383fd3dbfba0bfcb9f1b5900501cf6f5367207d7d8702493f37066f34f660e009ee182f2dc0972fe0a93564c7284db54e879a8ce4

    • SSDEEP

      12288:wNWqa2iNx5LbzIu9+r9vd6RYuuWonU2UNKeVy/sxj3PoqCBgl+tjBIjU6kp0ckx8:6a1j5LA9wyLnUDEUVJPoqigwh2Ktk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks