Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    feb0c2c55cd253b97c2c0959c69e88a7849bb33808d4ecb98d4c8da0aa7de9cd.exe

  • Size

    761KB

  • Sample

    240308-c8tspaed6v

  • MD5

    dbc7755b6c9aec78dc744660535fd730

  • SHA1

    f991bf5d1002d029491e63df3f876276454021ce

  • SHA256

    feb0c2c55cd253b97c2c0959c69e88a7849bb33808d4ecb98d4c8da0aa7de9cd

  • SHA512

    d0c5bac079a1658d7a6bb38463bff6fcc063afd8c16e4c90686aa8a65595afe207ab4b37ff8712ffc9cef030fda4884008a4c3efa2a007ae921c43056b2ac3df

  • SSDEEP

    12288:g/OlqJhgcT/zKkvV2/jiQMexVmT0Vj9k1rldQWxy84vJuKVcD56Vyy1gjob:gmYJhguvAqexUOq/Jxytw8cN6Vv

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp8nl.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Targets

    • Target

      feb0c2c55cd253b97c2c0959c69e88a7849bb33808d4ecb98d4c8da0aa7de9cd.exe

    • Size

      761KB

    • MD5

      dbc7755b6c9aec78dc744660535fd730

    • SHA1

      f991bf5d1002d029491e63df3f876276454021ce

    • SHA256

      feb0c2c55cd253b97c2c0959c69e88a7849bb33808d4ecb98d4c8da0aa7de9cd

    • SHA512

      d0c5bac079a1658d7a6bb38463bff6fcc063afd8c16e4c90686aa8a65595afe207ab4b37ff8712ffc9cef030fda4884008a4c3efa2a007ae921c43056b2ac3df

    • SSDEEP

      12288:g/OlqJhgcT/zKkvV2/jiQMexVmT0Vj9k1rldQWxy84vJuKVcD56Vyy1gjob:gmYJhguvAqexUOq/Jxytw8cN6Vv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks