Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d

  • Size

    673KB

  • Sample

    231012-fl5s8aaf68

  • MD5

    86841a1ccb8603fd4c5f44ab5f978d4d

  • SHA1

    00c814bca41e7da4e5694534dbafa6201484bc4e

  • SHA256

    3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d

  • SHA512

    519aa6b845a12d3f3a0b7cb6654796f2c08ea6f0912a9a1490fef52a39e535bfb57e44f7e19b974a3cd4e4ae6d185681de464a7924faf9511e6a4ff6abee425d

  • SSDEEP

    12288:FrD6UaPEy03p4YIWo4FhXf0fDT2akV4+dcWTWNH5AyLY/VZ0K:1D/PJnIWo47p4QdTs5DYNWK

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://valvulasthermovalve.cl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    LILKOOLL14!!

Targets

    • Target

      3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d

    • Size

      673KB

    • MD5

      86841a1ccb8603fd4c5f44ab5f978d4d

    • SHA1

      00c814bca41e7da4e5694534dbafa6201484bc4e

    • SHA256

      3096973acd0408ca6115b08d3e7968a5f029e353878991a39c22cc3f9d60683d

    • SHA512

      519aa6b845a12d3f3a0b7cb6654796f2c08ea6f0912a9a1490fef52a39e535bfb57e44f7e19b974a3cd4e4ae6d185681de464a7924faf9511e6a4ff6abee425d

    • SSDEEP

      12288:FrD6UaPEy03p4YIWo4FhXf0fDT2akV4+dcWTWNH5AyLY/VZ0K:1D/PJnIWo47p4QdTs5DYNWK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks