Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b3a120ec6f2895f9b5b6c0eb90423c3585f7acc1407163ccadc424305c9ad9a6

  • Size

    1.2MB

  • Sample

    240224-bwnkgaef2s

  • MD5

    4a2d1c6305288f18f384326344bb6039

  • SHA1

    0b66f992cc5d8fce154444b7b2db36968e76ee30

  • SHA256

    b3a120ec6f2895f9b5b6c0eb90423c3585f7acc1407163ccadc424305c9ad9a6

  • SHA512

    47b5750f3865ff9f1317c6a40cef3dafdd3223250f83d237520a0e3ee5189f9602461ce4f5ee78948f027bf3ad77c092aa14e667c7be48b73505598908486671

  • SSDEEP

    12288:klW3YDmzBh35cqFnG0/D0HPddOBQEYrDTm60aa3C7X/SpIk:vBvZb0HlsBQXPi60N3C7

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.flecon.com.sg
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    8CJN6A87XUIU

Targets

    • Target

      PO 20078990017432988476.exe

    • Size

      722KB

    • MD5

      31bd10b45a914ae0a1970a09841ca2d9

    • SHA1

      179a360096552c8940107052bb5d1aa216f36f72

    • SHA256

      698fe043efc551bc9c522c8fbc38de3faeefa94a5ce5592863bacbda611f04e0

    • SHA512

      db8cad54866691607c9f47432aaaf6aa97faa1894a7b5bca623c7991c8a021971766302d731df3a090768e96a946a336805af3a5102f16e4237e48a38d650207

    • SSDEEP

      12288:flW3YDmzBh35cqFnG0/D0HPddOBQEYrDTm60aa3C7X/SpIkR:KBvZb0HlsBQXPi60N3C7i

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks