Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    EMED_ZAMÓWIENIE_N.2402290221.exe

  • Size

    1.2MB

  • Sample

    240229-kr54dscb82

  • MD5

    90fef91edee1df02f5f9336dcee3f444

  • SHA1

    c983932f2a99e0c42860e12078ed971bf529dec5

  • SHA256

    4462f40cbb243a63f60fcc2c1b03150dc45d9fd0e8cef78c7e6ea9de60aa32cf

  • SHA512

    bd16674ec38ab19dc0534d32ae3c2efc37d6289a59a1392ed10a62f0b6889073181c5eb73c97f893d27a4e0a70adc21b54496d31c8271305ee786e9f48358bbd

  • SSDEEP

    12288:Vj/R7ulzg/GpXVowlaUl/GDDL3oRfMhYKCUo8riaj6sgQE3mmSweHR5JNHrU3275:rqz1BAaUo8riaj6nNHQR4zA9gmNt

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.rusticpensiune.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

    • Target

      EMED_ZAMÓWIENIE_N.2402290221.exe

    • Size

      1.2MB

    • MD5

      90fef91edee1df02f5f9336dcee3f444

    • SHA1

      c983932f2a99e0c42860e12078ed971bf529dec5

    • SHA256

      4462f40cbb243a63f60fcc2c1b03150dc45d9fd0e8cef78c7e6ea9de60aa32cf

    • SHA512

      bd16674ec38ab19dc0534d32ae3c2efc37d6289a59a1392ed10a62f0b6889073181c5eb73c97f893d27a4e0a70adc21b54496d31c8271305ee786e9f48358bbd

    • SSDEEP

      12288:Vj/R7ulzg/GpXVowlaUl/GDDL3oRfMhYKCUo8riaj6sgQE3mmSweHR5JNHrU3275:rqz1BAaUo8riaj6nNHQR4zA9gmNt

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks