Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    032a15d1750e8e2208aece67bc3e54d1f28526978e703376750a6fa1e096fde1

  • Size

    1.1MB

  • Sample

    231115-q2accscd4w

  • MD5

    0b3b1594947f8215107cad89322085c9

  • SHA1

    4354ca509f86c6fc86f3b1eaac8cb4292a4719d6

  • SHA256

    032a15d1750e8e2208aece67bc3e54d1f28526978e703376750a6fa1e096fde1

  • SHA512

    d21d660a1ceb52221e64c25ae8628a22755408140399a8cce8533f1c8e3f232de0239435f9e5633e51fecd7e61fa74012a824555115715d4e91f2eb0fd5ecb63

  • SSDEEP

    12288:NjOJofxt7J0RXKwpWm1ETuwoU4sFgvXvHj8jfyMC/xyXLLByfTS7nnBFcXxKFDK+:J822RXKwppEySsx7gnB2Qnc

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.corpcarnica.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    AnzBal159@?

Targets

    • Target

      032a15d1750e8e2208aece67bc3e54d1f28526978e703376750a6fa1e096fde1

    • Size

      1.1MB

    • MD5

      0b3b1594947f8215107cad89322085c9

    • SHA1

      4354ca509f86c6fc86f3b1eaac8cb4292a4719d6

    • SHA256

      032a15d1750e8e2208aece67bc3e54d1f28526978e703376750a6fa1e096fde1

    • SHA512

      d21d660a1ceb52221e64c25ae8628a22755408140399a8cce8533f1c8e3f232de0239435f9e5633e51fecd7e61fa74012a824555115715d4e91f2eb0fd5ecb63

    • SSDEEP

      12288:NjOJofxt7J0RXKwpWm1ETuwoU4sFgvXvHj8jfyMC/xyXLLByfTS7nnBFcXxKFDK+:J822RXKwppEySsx7gnB2Qnc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • AgentTesla payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks