Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Agba.lnk

  • Size

    1KB

  • Sample

    240209-xcedcadf5t

  • MD5

    93295fcc7a8a293691452752e7ee65c2

  • SHA1

    9f62a604cb60916f378dcdae647aa2ebdd9a4d6c

  • SHA256

    59fd27ae5232b13b560abee552f9cec716b00cd9ca4273b36a4ab714c6a01533

  • SHA512

    b20b01e4d9d878c6acf99051372a55bdc1a32239ed600964b42f40704d56a2c37b75f1b270c4c2b1fd005d82f96de68b4988f1706619c74881c32fa446421f21

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://172.86.101.170/chache

Targets

    • Target

      Agba.lnk

    • Size

      1KB

    • MD5

      93295fcc7a8a293691452752e7ee65c2

    • SHA1

      9f62a604cb60916f378dcdae647aa2ebdd9a4d6c

    • SHA256

      59fd27ae5232b13b560abee552f9cec716b00cd9ca4273b36a4ab714c6a01533

    • SHA512

      b20b01e4d9d878c6acf99051372a55bdc1a32239ed600964b42f40704d56a2c37b75f1b270c4c2b1fd005d82f96de68b4988f1706619c74881c32fa446421f21

    • DarkGate

      DarkGate is an infostealer written in C++.

    • Detect DarkGate stealer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks