Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ccdb59873a1a5c0bc377b8854dedf692a10c9c4c9231e0ebff9365ca2e779db9.exe

  • Size

    1.0MB

  • Sample

    240309-efn3vadc2z

  • MD5

    b3cc065a08ae54b888715fc65a1daeb4

  • SHA1

    de75bab87e1256c79fa7d0ddea288222273ea59e

  • SHA256

    ccdb59873a1a5c0bc377b8854dedf692a10c9c4c9231e0ebff9365ca2e779db9

  • SHA512

    48c9c3d5bc35834234187e8ca4322f4c5b3657c30573bc4f4a0efc47e6d15076d19af24cb3264e0a3a118d20d174ae2b7d836e0d1aa06d8b61d58e88df39aeff

  • SSDEEP

    12288:5tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgalTJ0fxBWvx8cs2048Z5:5tb20pkaCqT5TBWgNQ7aRJ0ZYXD8Z6A

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.elquijotebanquetes.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    kFxADjwNBm$_

Targets

    • Target

      ccdb59873a1a5c0bc377b8854dedf692a10c9c4c9231e0ebff9365ca2e779db9.exe

    • Size

      1.0MB

    • MD5

      b3cc065a08ae54b888715fc65a1daeb4

    • SHA1

      de75bab87e1256c79fa7d0ddea288222273ea59e

    • SHA256

      ccdb59873a1a5c0bc377b8854dedf692a10c9c4c9231e0ebff9365ca2e779db9

    • SHA512

      48c9c3d5bc35834234187e8ca4322f4c5b3657c30573bc4f4a0efc47e6d15076d19af24cb3264e0a3a118d20d174ae2b7d836e0d1aa06d8b61d58e88df39aeff

    • SSDEEP

      12288:5tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgalTJ0fxBWvx8cs2048Z5:5tb20pkaCqT5TBWgNQ7aRJ0ZYXD8Z6A

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks