Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

20/02/2024, 01:57

240220-cc95sshg44 10

20/02/2024, 01:54

240220-cbjlfshf93 10

General

  • Target

    72206ef3ffece5fca5dba4182cc13dab225d80896d1702163265614dd17ecf1a

  • Size

    705KB

  • Sample

    240220-cc95sshg44

  • MD5

    8ecbb2c7f6a96c777b9c1006de504489

  • SHA1

    89c724cba92a147adacc47db58d2d6ab56e4d9b4

  • SHA256

    72206ef3ffece5fca5dba4182cc13dab225d80896d1702163265614dd17ecf1a

  • SHA512

    276f142028f03e51efd840ee85824fd0583737b67c0c8e0b92fe9d70f89555e06bf3414c24feeafb0a5179214e0384fb908257af0be2b6f7352391b592678388

  • SSDEEP

    12288:6JdKUSmPwRYnOELz89Lc/OiG+kNajkdzVQO6hdFZd+SlJa+wlXthAGR83Gv4R+DS:wdKUSmP0Y74Q/OnACqbdFX+eaXjCGR88

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ssipae.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Kamikase333

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      72206ef3ffece5fca5dba4182cc13dab225d80896d1702163265614dd17ecf1a

    • Size

      705KB

    • MD5

      8ecbb2c7f6a96c777b9c1006de504489

    • SHA1

      89c724cba92a147adacc47db58d2d6ab56e4d9b4

    • SHA256

      72206ef3ffece5fca5dba4182cc13dab225d80896d1702163265614dd17ecf1a

    • SHA512

      276f142028f03e51efd840ee85824fd0583737b67c0c8e0b92fe9d70f89555e06bf3414c24feeafb0a5179214e0384fb908257af0be2b6f7352391b592678388

    • SSDEEP

      12288:6JdKUSmPwRYnOELz89Lc/OiG+kNajkdzVQO6hdFZd+SlJa+wlXthAGR83Gv4R+DS:wdKUSmP0Y74Q/OnACqbdFX+eaXjCGR88

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks