Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6ebea473523c44132e5e5a30bedb1a43.bin

  • Size

    657KB

  • Sample

    231102-chal5aha53

  • MD5

    37770ffdb75c067a44152b828653ea5c

  • SHA1

    01f07c55b5bb91557f5a007c843e24517ce5a16a

  • SHA256

    557eee365f920a187a791f1d8ea2c335b4b29b483d584508f7177428f7da7b31

  • SHA512

    726181223179fdbbe12a18ca59b481b08811d2ccc26fd367a186b229ecdd6fcdbc533899abf6260c939b23b60c810a979222f9ed440b69456c758d61cc12a27e

  • SSDEEP

    12288:GWrHLanWLcl6dUlJBb0R8uZPveCNgFlL+pduyBpjLgrntE3QGzp994i:GWrHLa6clXlJBb0iuhN93pIrn633L94i

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mediaexpert.dz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ayola@123

Targets

    • Target

      6e158f16f07e8ff0704f797423eee56096fa51306fa8e74ae0034559f9cbe81c.exe

    • Size

      850KB

    • MD5

      6ebea473523c44132e5e5a30bedb1a43

    • SHA1

      b9777c487d43c43cf0a46b104f2912d7f6207f1b

    • SHA256

      6e158f16f07e8ff0704f797423eee56096fa51306fa8e74ae0034559f9cbe81c

    • SHA512

      7a016e64a52dae54712ccb40ad39c308715060894097ace857b272c32e996c8fb7c0135f1beaa791976fcae27eb73d5a6dbc74b9470c9e42210c3040e6ebda90

    • SSDEEP

      12288:9XWvpnJ0UQAq0PO5ECGoNw5BvrpBlbL6n3POr5y9W8Di0mXtSC:9IJ0Sq0mC9hBvrtbLEyeHDjmXc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks