Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d

  • Size

    1.0MB

  • Sample

    240307-ak16rada31

  • MD5

    a137ddf047bb1db826af4ccb3110db6d

  • SHA1

    dd93f6c84d0b01d78d7eae68811e8f5edd512019

  • SHA256

    db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d

  • SHA512

    bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475

  • SSDEEP

    24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Targets

    • Target

      db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d

    • Size

      1.0MB

    • MD5

      a137ddf047bb1db826af4ccb3110db6d

    • SHA1

      dd93f6c84d0b01d78d7eae68811e8f5edd512019

    • SHA256

      db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d

    • SHA512

      bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475

    • SSDEEP

      24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks