Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f77dc4ac075fb75864f974585ca3b393475b0c51330c29d49a98d360969c2442.doc

  • Size

    51KB

  • Sample

    231121-tlt9dagc4z

  • MD5

    d0c1b19fa2e32065714d692a75a2e393

  • SHA1

    e190e2d12d830acdbcbf0f878166132e85969d3c

  • SHA256

    f77dc4ac075fb75864f974585ca3b393475b0c51330c29d49a98d360969c2442

  • SHA512

    07f4893a09b4328389957b1416316f924380de891a9287412ec12a27d7e0d70763041afed52b80e75269b56e8d75a017d05ade9c8c3f25a5e8796906cd529418

  • SSDEEP

    768:mwAbZSibMX9gRWje2RtIBtepUi8Hejr2Gbedh28TFP:mwAlRJGIBtTnnh24FP

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      f77dc4ac075fb75864f974585ca3b393475b0c51330c29d49a98d360969c2442.doc

    • Size

      51KB

    • MD5

      d0c1b19fa2e32065714d692a75a2e393

    • SHA1

      e190e2d12d830acdbcbf0f878166132e85969d3c

    • SHA256

      f77dc4ac075fb75864f974585ca3b393475b0c51330c29d49a98d360969c2442

    • SHA512

      07f4893a09b4328389957b1416316f924380de891a9287412ec12a27d7e0d70763041afed52b80e75269b56e8d75a017d05ade9c8c3f25a5e8796906cd529418

    • SSDEEP

      768:mwAbZSibMX9gRWje2RtIBtepUi8Hejr2Gbedh28TFP:mwAlRJGIBtTnnh24FP

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks