Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4c36d139fa9df02b0ca10337dcdc5f0c781aeb299b98126fc63db2e667bff057

  • Size

    206KB

  • Sample

    240201-ccc53aagdm

  • MD5

    5dabea67aad7dcc99802e3a4a02f68ad

  • SHA1

    47999ee4b6bb2fd397a93a4b9d34b0d714a05fd6

  • SHA256

    4c36d139fa9df02b0ca10337dcdc5f0c781aeb299b98126fc63db2e667bff057

  • SHA512

    d94c61562a227a7bc68d909f4bed818e5318c4d97faed4646fb8a9edad78373695d597559e7b1920a15215fc12242dd286c1d86b375b961abfc8cf9ad830fc42

  • SSDEEP

    3072:UdSf2JsfZu1RYPaqKy+P5KV8e2iVvA9HT+Xrlmh:rhDhD+PYye2iiHKrlm

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ozmetalsan.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ikircicek4521

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      202401310009.exe

    • Size

      156KB

    • MD5

      0073882408ccaeaa4c77889b22c5546c

    • SHA1

      97f7176f986536ba6b16a2e59e699884a446d27a

    • SHA256

      17e2ea8ea355babc49d0b0f4a16aaffa3e7e3e97171668205247e16d8e5eb5b8

    • SHA512

      752ea528b877d92dc88c165e80f4f7add2864f2bdf6f5e96bbcf04a9adf13ca092cf93271cd25083cb033d26b884a3f1fd5e030c7f56b22277cfbae85173f2d9

    • SSDEEP

      3072:6dSf2JsfZu1RYPaqKy+P5KV8e2iVvA9HT+Xrlmh:JhDhD+PYye2iiHKrlm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks