Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    64ffddfdb7b226084feb2a9e18045946f75e34277c7447515c6db7f1222a766a

  • Size

    1002KB

  • Sample

    240202-ccvecadecr

  • MD5

    e82d4b80d1ee59fa32a8cc692eb667a8

  • SHA1

    410e414d332b65b16f888a873d0c2842fb0c03e3

  • SHA256

    64ffddfdb7b226084feb2a9e18045946f75e34277c7447515c6db7f1222a766a

  • SHA512

    dd0c5e70a026e666b7ef5d722683043cf4d4b8de3284c070556e55d7e66d60208147c6272462d087b20f4342635556074d086706a06668fbef01dabef8d57480

  • SSDEEP

    24576:qMyULPrDTQB2mspOLbuU0kqwlHdkngrzZlNE:vDTm2vpQuUlqwdkgrzBE

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.aranybarany.hu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    18Szalloda94

Targets

    • Target

      64ffddfdb7b226084feb2a9e18045946f75e34277c7447515c6db7f1222a766a

    • Size

      1002KB

    • MD5

      e82d4b80d1ee59fa32a8cc692eb667a8

    • SHA1

      410e414d332b65b16f888a873d0c2842fb0c03e3

    • SHA256

      64ffddfdb7b226084feb2a9e18045946f75e34277c7447515c6db7f1222a766a

    • SHA512

      dd0c5e70a026e666b7ef5d722683043cf4d4b8de3284c070556e55d7e66d60208147c6272462d087b20f4342635556074d086706a06668fbef01dabef8d57480

    • SSDEEP

      24576:qMyULPrDTQB2mspOLbuU0kqwlHdkngrzZlNE:vDTm2vpQuUlqwdkgrzBE

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks