Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    20bc8b3cd7a9b7b843791dd7062598b8564132ecadcc009f27678d2dcc7db93d

  • Size

    705KB

  • Sample

    240203-bzyjvadhd6

  • MD5

    de0bfea700906dea65ae87dd3c8a93e2

  • SHA1

    4d84ebbff27efa5d244697131a243796a15b7f5c

  • SHA256

    20bc8b3cd7a9b7b843791dd7062598b8564132ecadcc009f27678d2dcc7db93d

  • SHA512

    e7731e6da2e31ecf976d19a5c927aa9ea248f72900eeb9ba7964ef5f1de3b0bf9336dee266e185de28ac4a12fcb63717ac4be1d9467749831e31c539634b3c3b

  • SSDEEP

    12288:BfLKIAYQ4hu+fABslAw8ZbJk87zXMif8NryBZeNwcP3sBcxwmjil8wmb:V2IAjB0ok8hf8V6e78gwmulF

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    premium162.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Success4sure2day10@

Targets

    • Target

      20bc8b3cd7a9b7b843791dd7062598b8564132ecadcc009f27678d2dcc7db93d

    • Size

      705KB

    • MD5

      de0bfea700906dea65ae87dd3c8a93e2

    • SHA1

      4d84ebbff27efa5d244697131a243796a15b7f5c

    • SHA256

      20bc8b3cd7a9b7b843791dd7062598b8564132ecadcc009f27678d2dcc7db93d

    • SHA512

      e7731e6da2e31ecf976d19a5c927aa9ea248f72900eeb9ba7964ef5f1de3b0bf9336dee266e185de28ac4a12fcb63717ac4be1d9467749831e31c539634b3c3b

    • SSDEEP

      12288:BfLKIAYQ4hu+fABslAw8ZbJk87zXMif8NryBZeNwcP3sBcxwmjil8wmb:V2IAjB0ok8hf8V6e78gwmulF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks