Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cec987bff90b00ce724f9c8ba67a66c1.bin

  • Size

    646KB

  • Sample

    230901-cefnzabh79

  • MD5

    5e8cf3225348bf6ada7b52387a7ece51

  • SHA1

    e0ff28cc70381463b71922f84e09f128719ea292

  • SHA256

    a168419d23971aa18f193230e08bfd74a1687e490eeeebae5fabd4a6dcdf0793

  • SHA512

    1653ecf38f5f4b0692ad61dfcd3e69d57f7504871767fd5d752ae83940d676a40c78b0767989391f828cdbce8f69155461e7da6fded1b1f75a501ad6a3bdeb09

  • SSDEEP

    12288:OJ2W2SCgofQuxU0nmnnin13StIjq34Lv6RTis26V2ZaGZr3n3TdUOGaEkciHJN:OcW2Mo4uxUWJn1UClM2s200ZNpN

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      purchase order.exe

    • Size

      687KB

    • MD5

      bd8956a202a197e22148fae79c98e967

    • SHA1

      22b02b9a316418eebbaca4bf5461660933fee5d3

    • SHA256

      48344ddf6064b91600662af7a6b0c9d66b4ed354bd50839c360c21d62d49e63b

    • SHA512

      0b70292c4fa26061f7ce06311aea02693dbc3b530c96862224848f45f5dfe70400b5eb72c62445851b9e994af20a3577ed92ac19cf1db4ca27bafb09f6e2c35d

    • SSDEEP

      12288:ZZboCUhRcOJ5clu6ZRNL09JXgT8zQM95bgGvpZ2cVTt2M5osEITPcOr:PZ5yoZ/L6iT8kDu/22Z2ILTPc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks