Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    c6aa4df5c1a41c924836d332bdb2cc68a5c4c611dbeae29629ed86f7ccb4b10e

  • Size

    751KB

  • Sample

    240307-catp2ada93

  • MD5

    21359335fbd65ef5d2351fa45230c2f0

  • SHA1

    08b813bf5615ab5e6a41fac323349e9ca3fe6a2f

  • SHA256

    c6aa4df5c1a41c924836d332bdb2cc68a5c4c611dbeae29629ed86f7ccb4b10e

  • SHA512

    f2a8944b2cf7b60f27cda4e0f16741f98b06404a713cdae9e2ba19c3345acf989580d7911965286f33e8670ad26fcfae34b9950c1dbaa45f21fc52f7c0f49c57

  • SSDEEP

    12288:qm1emEgzgjjN2iN+X6AdtGNc17QK4qjRyJSn8k/SduA1hvR/ejceM:qm0+gjjN12YI73zj8JSn56duA1J0jc

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    server348.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7zh+C6U~a;Jc

Targets

    • Target

      c6aa4df5c1a41c924836d332bdb2cc68a5c4c611dbeae29629ed86f7ccb4b10e

    • Size

      751KB

    • MD5

      21359335fbd65ef5d2351fa45230c2f0

    • SHA1

      08b813bf5615ab5e6a41fac323349e9ca3fe6a2f

    • SHA256

      c6aa4df5c1a41c924836d332bdb2cc68a5c4c611dbeae29629ed86f7ccb4b10e

    • SHA512

      f2a8944b2cf7b60f27cda4e0f16741f98b06404a713cdae9e2ba19c3345acf989580d7911965286f33e8670ad26fcfae34b9950c1dbaa45f21fc52f7c0f49c57

    • SSDEEP

      12288:qm1emEgzgjjN2iN+X6AdtGNc17QK4qjRyJSn8k/SduA1hvR/ejceM:qm0+gjjN12YI73zj8JSn56duA1J0jc

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks