Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3c2e45ec9a4b0e3b05b964f8cc1b5a124101e223aaad08f060c90e9140a34377.exe

  • Size

    577KB

  • Sample

    240229-f2grbsfa34

  • MD5

    0bd3ba54e625948b9378c9ff8f2905ad

  • SHA1

    aa2de74b5fdfd4e92bd5f8ee46b4cc2768d5b6b6

  • SHA256

    3c2e45ec9a4b0e3b05b964f8cc1b5a124101e223aaad08f060c90e9140a34377

  • SHA512

    9dd6d3c845c30b244bc717c6a5be7e37fcbc3e947403fa21bff107c60019a92dd474dd44de19dd77774363079a0709f6718b06d067fc22dffd8effd0f0cee24d

  • SSDEEP

    12288:VOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPin2Acooe1GJqAAdR5VOkO:Vq5TfcdHj4fmb4HTbr5I

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4r@d15PS!-!h

Targets

    • Target

      3c2e45ec9a4b0e3b05b964f8cc1b5a124101e223aaad08f060c90e9140a34377.exe

    • Size

      577KB

    • MD5

      0bd3ba54e625948b9378c9ff8f2905ad

    • SHA1

      aa2de74b5fdfd4e92bd5f8ee46b4cc2768d5b6b6

    • SHA256

      3c2e45ec9a4b0e3b05b964f8cc1b5a124101e223aaad08f060c90e9140a34377

    • SHA512

      9dd6d3c845c30b244bc717c6a5be7e37fcbc3e947403fa21bff107c60019a92dd474dd44de19dd77774363079a0709f6718b06d067fc22dffd8effd0f0cee24d

    • SSDEEP

      12288:VOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPin2Acooe1GJqAAdR5VOkO:Vq5TfcdHj4fmb4HTbr5I

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks