Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969.exe

  • Size

    636KB

  • Sample

    240212-ef1fwafa6y

  • MD5

    9c1dbd904a8ef4ea3b9e780215d4b5cd

  • SHA1

    525e03b33d5b9796c76ae2428448acfea3a66525

  • SHA256

    579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969

  • SHA512

    228edc0b70c250a62411bea9c7238a4d9359fe8982de56e4db08eacdd26041fb9f43138ffed051ff4b67ef03fe5d8fb0bdd49d1e7052382fe4412bfc38d58c07

  • SSDEEP

    12288:MOL+xEd66WXUAoFHDPdzxFdyrxbHsa0X0K85My2FHybNIZFlICgBcPA:fCxcvWXvoFjPdzx+bx/eyiANIj7NPA

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.wasstech.com
  • Port:
    587
  • Username:
    wassteam@wasstech.com
  • Password:
    Sunray2700@@
  • Email To:
    tsirisep@gmail.com

Targets

    • Target

      579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969.exe

    • Size

      636KB

    • MD5

      9c1dbd904a8ef4ea3b9e780215d4b5cd

    • SHA1

      525e03b33d5b9796c76ae2428448acfea3a66525

    • SHA256

      579e14e67dedb45ea3b315a678450891a931387f884bb196407defc567604969

    • SHA512

      228edc0b70c250a62411bea9c7238a4d9359fe8982de56e4db08eacdd26041fb9f43138ffed051ff4b67ef03fe5d8fb0bdd49d1e7052382fe4412bfc38d58c07

    • SSDEEP

      12288:MOL+xEd66WXUAoFHDPdzxFdyrxbHsa0X0K85My2FHybNIZFlICgBcPA:fCxcvWXvoFjPdzx+bx/eyiANIj7NPA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.