Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx

  • Size

    10KB

  • Sample

    230705-bkf19aab45

  • MD5

    75b5fb86bd2cc8fc41d253b5b90a767f

  • SHA1

    4370d24b51f5689172afe913527f76b276e5c0cc

  • SHA256

    4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4

  • SHA512

    6035561fa54da886b06331e8c53be563c1d16423c515b13141c3ed03ebad443fe613a6d0c68b7009a3cc49e0a987c4f3e1ae4d1330538e3b00867de7fec95a84

  • SSDEEP

    192:Rya0N09FtWvARgZVPCK44AG9xXSJ+Ej7vJYtKwuKovDWYZcWe5F9u6:RyX09FtWvANK4499xXSJf7vJYtG6YZOT

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx

    • Size

      10KB

    • MD5

      75b5fb86bd2cc8fc41d253b5b90a767f

    • SHA1

      4370d24b51f5689172afe913527f76b276e5c0cc

    • SHA256

      4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4

    • SHA512

      6035561fa54da886b06331e8c53be563c1d16423c515b13141c3ed03ebad443fe613a6d0c68b7009a3cc49e0a987c4f3e1ae4d1330538e3b00867de7fec95a84

    • SSDEEP

      192:Rya0N09FtWvARgZVPCK44AG9xXSJ+Ej7vJYtKwuKovDWYZcWe5F9u6:RyX09FtWvANK4499xXSJf7vJYtG6YZOT

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks