Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d43aabb445ebb4aed4c3ecd11803c5691bb27e574dff608290582e1f57692e19.exe

  • Size

    246KB

  • Sample

    240304-qy43kacf67

  • MD5

    2b14cb0e21283c1f18c566f94f66f1bb

  • SHA1

    76318c348cb53008300bf82271f1e7ea57391a21

  • SHA256

    d43aabb445ebb4aed4c3ecd11803c5691bb27e574dff608290582e1f57692e19

  • SHA512

    ec36b0a6cf18b0521ea068f69fa706855458065c1349c03f4d526615656db9d4d1b49a9dc28c312e58c3667d1e55839db6ac0a54790a7d762b13c7b8ff8120c4

  • SSDEEP

    3072:FSCHHXX3HGhgK5IOf7SILUJCQ75VWo2aZIV82:FJHXX3HGhgK5h6CQeo2n

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.regs-adnocae.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    LCxt8+!#W9Uw

Targets

    • Target

      d43aabb445ebb4aed4c3ecd11803c5691bb27e574dff608290582e1f57692e19.exe

    • Size

      246KB

    • MD5

      2b14cb0e21283c1f18c566f94f66f1bb

    • SHA1

      76318c348cb53008300bf82271f1e7ea57391a21

    • SHA256

      d43aabb445ebb4aed4c3ecd11803c5691bb27e574dff608290582e1f57692e19

    • SHA512

      ec36b0a6cf18b0521ea068f69fa706855458065c1349c03f4d526615656db9d4d1b49a9dc28c312e58c3667d1e55839db6ac0a54790a7d762b13c7b8ff8120c4

    • SSDEEP

      3072:FSCHHXX3HGhgK5IOf7SILUJCQ75VWo2aZIV82:FJHXX3HGhgK5h6CQeo2n

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks