Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bf430530be82d3d9226fe68ce89957e6d24992dd8938864d16f2896e943cd3ba

  • Size

    660KB

  • Sample

    240214-cklr6sfe86

  • MD5

    6e8dc0f3fe7636fbc76b25e44de5bf26

  • SHA1

    be3c9c3101f02a922b3d679452555a1726f5f39f

  • SHA256

    bf430530be82d3d9226fe68ce89957e6d24992dd8938864d16f2896e943cd3ba

  • SHA512

    8dbdc7ad5f550fe618bdf442d57212b88ed9bb7a8132ae01dd6eb0437121e74fb0080374171d50710f783ff672f8436c591abefe2b62f451b6f3734db7b92c36

  • SSDEEP

    12288:i8keQ5vziNwdaO1sGZqHtwEQozyTiz8e//XIY8LA3j:i8kriNwdx1HZqHtwuzDB

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pnr-resource.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Pnr@User#123

Targets

    • Target

      bf430530be82d3d9226fe68ce89957e6d24992dd8938864d16f2896e943cd3ba

    • Size

      660KB

    • MD5

      6e8dc0f3fe7636fbc76b25e44de5bf26

    • SHA1

      be3c9c3101f02a922b3d679452555a1726f5f39f

    • SHA256

      bf430530be82d3d9226fe68ce89957e6d24992dd8938864d16f2896e943cd3ba

    • SHA512

      8dbdc7ad5f550fe618bdf442d57212b88ed9bb7a8132ae01dd6eb0437121e74fb0080374171d50710f783ff672f8436c591abefe2b62f451b6f3734db7b92c36

    • SSDEEP

      12288:i8keQ5vziNwdaO1sGZqHtwEQozyTiz8e//XIY8LA3j:i8kriNwdx1HZqHtwuzDB

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks