Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    zsxzsxzdcxdcxdvxdvxdvcxcdcxdxzfvczfvc##################zfvcxfvzfcfzdczdxzsxzs.DOC

  • Size

    23KB

  • Sample

    230703-m98ncahd9v

  • MD5

    25864afe8bb16bf3991f5ecbb3fadbd3

  • SHA1

    ef34d99172cfc9155ed6f0c5d2d3fd2dc8fde105

  • SHA256

    07731278cb304ae0ac61cf589875594752bd45d54cca19da29a36a1c11552367

  • SHA512

    306f177d32eb2a0ed66eac2f114bb7f0b7073d7803ac72f83887294ca9a9f6b31a1439cf8d1a0ddde7363609d907c2635b2af8fd96184531f71bbfc5017ca4dc

  • SSDEEP

    384:Y0VcmhJoJBoXpZF/Dqsk0kb4To+K2gTH9CwVdXiOUjkWTWLlx7X6gBzXqNaWkPk8:PgoXt/Dq/4EP2uH9Cuh4jSLlVX6KW2k8

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    terminal4.veeblehosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ifeanyi1987@

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      zsxzsxzdcxdcxdvxdvxdvcxcdcxdxzfvczfvc##################zfvcxfvzfcfzdczdxzsxzs.DOC

    • Size

      23KB

    • MD5

      25864afe8bb16bf3991f5ecbb3fadbd3

    • SHA1

      ef34d99172cfc9155ed6f0c5d2d3fd2dc8fde105

    • SHA256

      07731278cb304ae0ac61cf589875594752bd45d54cca19da29a36a1c11552367

    • SHA512

      306f177d32eb2a0ed66eac2f114bb7f0b7073d7803ac72f83887294ca9a9f6b31a1439cf8d1a0ddde7363609d907c2635b2af8fd96184531f71bbfc5017ca4dc

    • SSDEEP

      384:Y0VcmhJoJBoXpZF/Dqsk0kb4To+K2gTH9CwVdXiOUjkWTWLlx7X6gBzXqNaWkPk8:PgoXt/Dq/4EP2uH9Cuh4jSLlVX6KW2k8

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks