Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c08c2912aa3176dfb1e8eb8c86edbec000f6996de442b8ef963fd95a2f8a1c46

  • Size

    652KB

  • Sample

    231207-dazrqaaec9

  • MD5

    54210999627035dcc69cd1722e9a6075

  • SHA1

    a390a3fd304888238b6d97028fd331033ca3b064

  • SHA256

    c08c2912aa3176dfb1e8eb8c86edbec000f6996de442b8ef963fd95a2f8a1c46

  • SHA512

    2c98c96b1ce8f4b5dc48e1bd118b6999e410cd817e2f9ea7ce086349eb475be85c5c352697714206a79961684f6d42c803e1ff24ae53969514dbba6dae6869ed

  • SSDEEP

    12288:btFQaueH5qkRRg6wzQApkqiB6vrt52SfDo4n7qo7mCrSgs6vGHp8t+/6:btjqsgdzVk/4B5zfDH7qPv36MKt+/

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    premium162.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Success4sure2day10@

Targets

    • Target

      c08c2912aa3176dfb1e8eb8c86edbec000f6996de442b8ef963fd95a2f8a1c46

    • Size

      652KB

    • MD5

      54210999627035dcc69cd1722e9a6075

    • SHA1

      a390a3fd304888238b6d97028fd331033ca3b064

    • SHA256

      c08c2912aa3176dfb1e8eb8c86edbec000f6996de442b8ef963fd95a2f8a1c46

    • SHA512

      2c98c96b1ce8f4b5dc48e1bd118b6999e410cd817e2f9ea7ce086349eb475be85c5c352697714206a79961684f6d42c803e1ff24ae53969514dbba6dae6869ed

    • SSDEEP

      12288:btFQaueH5qkRRg6wzQApkqiB6vrt52SfDo4n7qo7mCrSgs6vGHp8t+/6:btjqsgdzVk/4B5zfDH7qPv36MKt+/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks