Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    asklamaya.exe

  • Size

    293KB

  • Sample

    230713-qnc64agh35

  • MD5

    6cc93c3cbc8578aa9e7a69b527521577

  • SHA1

    6f578200f0f4ee228f08bd7197dfc6ec9035e608

  • SHA256

    6702fd8cc69861fd00ceba3d93fd0108be39694f0af90577e99e3e04f0c2ce83

  • SHA512

    396cb20c6badad5f6343deb5cc2192cc663e8f166cf2c5a4b39a56037b700889cda7cc419781cf7f6f58c55e5983e81b0498c74abc55afea2b6f8464a7f9b144

  • SSDEEP

    6144:vYa6XerF2JOK15cSag0dwXhmmunvWkZ5PECg1U4L/q/hpBV:vYleRM1SSb0mw+O58Cg1p/qV

Malware Config

Targets

    • Target

      asklamaya.exe

    • Size

      293KB

    • MD5

      6cc93c3cbc8578aa9e7a69b527521577

    • SHA1

      6f578200f0f4ee228f08bd7197dfc6ec9035e608

    • SHA256

      6702fd8cc69861fd00ceba3d93fd0108be39694f0af90577e99e3e04f0c2ce83

    • SHA512

      396cb20c6badad5f6343deb5cc2192cc663e8f166cf2c5a4b39a56037b700889cda7cc419781cf7f6f58c55e5983e81b0498c74abc55afea2b6f8464a7f9b144

    • SSDEEP

      6144:vYa6XerF2JOK15cSag0dwXhmmunvWkZ5PECg1U4L/q/hpBV:vYleRM1SSb0mw+O58Cg1p/qV

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks