Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Christmas Tree and Wishes.img

  • Size

    1.4MB

  • Sample

    231226-jw3cmaegcj

  • MD5

    2edd84608b18b2098b09398d276e05a2

  • SHA1

    8f951156c366ed42dcc7ba8af1e8b4b529c95fe6

  • SHA256

    7bf1401269b1ed13ad18c65c45c6f54d6844a14e311053493eb94f0893ec739f

  • SHA512

    a9f98a0011b802c896c357319f1d6bdab1f2f64cf76d7aa02bc51c5221f0b34a7429ec91771e49b8f01f11796adbfcab7f43afd56d72f8854f5d88bde8506569

  • SSDEEP

    12288:VU6NIHXUVUzXNrQtNMp8tP5S/kVtjNBu2EkS9ZA8+VcTxQ+4mxUvvwqhMwGqte20:ihuMitPIs3ruOSQ8fXL+vTewGqMM72X

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.aranybarany.hu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    18Szalloda94

Targets

    • Target

      Christmas Tree and Wishes.exe

    • Size

      928KB

    • MD5

      87231278871e75634a5908e997d3d206

    • SHA1

      a5bfe2f65efc3cf19db69727d9e5b3227cd0d9b5

    • SHA256

      57653821b3827abd3779dcfc3a2d03f480eccf8beab8bc541ecda5aa9dc1bdcc

    • SHA512

      53d0fd37d0f82e1281442157f89362678e265781ab3f34076246655e6d6e423d384a3958d6ceccc8eb73199761206f15000747ed4c3c5ce2d6ec8408313f3fd8

    • SSDEEP

      12288:/U6NIHXUVUzXNrQtNMp8tP5S/kVtjNBu2EkS9ZA8+VcTxQ+4mxUvvwqhMwGqte20:YhuMitPIs3ruOSQ8fXL+vTewGqMM72X

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks