Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Purchase-Order.scr.exe

  • Size

    672KB

  • Sample

    231011-ymw7kshh7x

  • MD5

    7fccb0197c8d6888ab6a5f9713fba9f6

  • SHA1

    ae8ea47dbb7c8bc40df063ea2e05823e2458cced

  • SHA256

    b89fe3a178283fbd51ed71bd488e079a81dff40fc7124f57540e98540dce28a1

  • SHA512

    feccea6ac8dc93c7f3bc88f3e3b2d3a84b11738161c8e1a153c5a8a29e17e424a84b75daf1754dd3e9d0f7f32335b9e1a6aa811349660e4f6837247add0bb7d2

  • SSDEEP

    12288:UVj3hLQvfdxOo7gpXtrFF725cxd9dvmVV38eIlCwWTIghwhKfwlucbh1ejqaRiv6:sMOfx4twKyxluc90JRk6

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6364043354:AAF_1bGx2vGEmysmy8L-UNpPd2QFFHQH3WU/

Targets

    • Target

      Purchase-Order.scr.exe

    • Size

      672KB

    • MD5

      7fccb0197c8d6888ab6a5f9713fba9f6

    • SHA1

      ae8ea47dbb7c8bc40df063ea2e05823e2458cced

    • SHA256

      b89fe3a178283fbd51ed71bd488e079a81dff40fc7124f57540e98540dce28a1

    • SHA512

      feccea6ac8dc93c7f3bc88f3e3b2d3a84b11738161c8e1a153c5a8a29e17e424a84b75daf1754dd3e9d0f7f32335b9e1a6aa811349660e4f6837247add0bb7d2

    • SSDEEP

      12288:UVj3hLQvfdxOo7gpXtrFF725cxd9dvmVV38eIlCwWTIghwhKfwlucbh1ejqaRiv6:sMOfx4twKyxluc90JRk6

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks