Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dekont_S0098928231200975670998765998766500.exe

  • Size

    645KB

  • Sample

    231016-s77k6abf67

  • MD5

    8d04bf1566683062730ed738fb814358

  • SHA1

    adef16ce105cf526dacd6d826a58b83724267a62

  • SHA256

    10dec278f5878a62bda355e604789c42fcf7605a316caa60fb9361476093b078

  • SHA512

    bb5e758aa946e93c03d96a1d95b24d2ec87ec01c62f2a8f1d7974b2d08d5bc484f7bd9f3ef700751096335d7db8f6014d5d005087c73fb1624be32e05c58908b

  • SSDEEP

    12288:CzfqBuror1GFLWwzhzkiVxJMzQnfFIhwhfp1dvUxBiGkLc/obaf:CT6d1GFLPVnVxJd1dsBk5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.aksumer.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kingdom12345@

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.aksumer.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kingdom12345@

Targets

    • Target

      dekont_S0098928231200975670998765998766500.exe

    • Size

      645KB

    • MD5

      8d04bf1566683062730ed738fb814358

    • SHA1

      adef16ce105cf526dacd6d826a58b83724267a62

    • SHA256

      10dec278f5878a62bda355e604789c42fcf7605a316caa60fb9361476093b078

    • SHA512

      bb5e758aa946e93c03d96a1d95b24d2ec87ec01c62f2a8f1d7974b2d08d5bc484f7bd9f3ef700751096335d7db8f6014d5d005087c73fb1624be32e05c58908b

    • SSDEEP

      12288:CzfqBuror1GFLWwzhzkiVxJMzQnfFIhwhfp1dvUxBiGkLc/obaf:CT6d1GFLPVnVxJd1dsBk5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks