Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.zip
-
Size
283KB
-
Sample
240118-ghblmsdgcm
-
MD5
a5df9baff836278a7b6ecf187976b190
-
SHA1
ea8002dab926a32885cff76936baf1de60ea33b8
-
SHA256
f8107dcd6388dddcd4133a3bd3bbfb6a12b5ce3b17b2b0b3ec59e23c9771ba5b
-
SHA512
28684f07c21e47a662a4375850aa3d7ffa20c4782ec8d84c0df852bad79708aec5127c928fcdeaaded10a7c4149fa8cebbf2408d61573b5f38687b6e696a7a2d
-
SSDEEP
6144:2xo4R4SpAmNYDBkUlXsv6RXL0d7K4r4HCj1TJzRyLZq:Qf5pAmiDlXgk87Kcbg8
Static task
static1
Behavioral task
behavioral1
Sample
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
Resource
win10v2004-20231215-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail1.netim.hosting - Port:
587 - Username:
[email protected] - Password:
Emotion22 - Email To:
[email protected]
Targets
-
-
Target
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
-
Size
302KB
-
MD5
250841072f7bb27d6a75cd026249bb87
-
SHA1
190342d9c712d9af9a3dce9eb3f2ff32bf100e23
-
SHA256
8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b
-
SHA512
27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0
-
SSDEEP
6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-