Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4fb44ab10d15da11952bca16bae94bd4929eed33fdf277c184bf903f8bbe2c1e.zip

  • Size

    636KB

  • Sample

    240213-dhhs6seh36

  • MD5

    f432e138bab35689962a8f5db4943c68

  • SHA1

    8a177b6eff085b725b7852e3d5978923b058983a

  • SHA256

    4fb44ab10d15da11952bca16bae94bd4929eed33fdf277c184bf903f8bbe2c1e

  • SHA512

    00589150e8f8eb73477e27a5c0e82130dac237500533dc72bb37d9ca6c8a0da4b3f2874fe9da629bcb312eaa00ade9adf31412d7966b258ae5297f458a412eac

  • SSDEEP

    12288:hxTk5gQ+GzG4X4xWk+l8Kt/07oTcactW71AT2NM+3JRStdSByO1nrsWFJDo3o:hJd6iWkTC07RoZ7M+3JydSByonrsAo3o

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Dispatch Details.exe

    • Size

      666KB

    • MD5

      311d25fbd99f007e030d5e0ee174f73c

    • SHA1

      b055ceb16c9a6eb74875f47b3746851e8ecccedd

    • SHA256

      6b8bddabcfb3f12258d513da1d26230a9ca39b3d1796afd63fa32cb9d29594db

    • SHA512

      b26231ca787e0a5875c6c61b054205d94aeac47e2054448b890e76dc99bb7c3b77e7e8a630af0ebef5684985dda47f41c605531bc0eba81b181d1efcf64c3af4

    • SSDEEP

      12288:IxEd6x+J3cYI8CLWk+lyKt/0/iTwactW75AT2645dQgv28bt2m+T4Y4nq8syWxF:IxcGOIxWknC0/5olxKx8MmrI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks