Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    23cc4f039287640e9c1f024a852b187a48cc909c381ac7c5bc0eb67403ab477d

  • Size

    805KB

  • Sample

    240314-ct4z4sgc4v

  • MD5

    abd47c31f497c885e32c6f102f178eff

  • SHA1

    22d5dfbed3eff5016557b861404a7da915943042

  • SHA256

    23cc4f039287640e9c1f024a852b187a48cc909c381ac7c5bc0eb67403ab477d

  • SHA512

    ee50bef625be78e9390b6239b44e16769585cc1492231adf0eb4a6f6875d466ae75a9a29ceaec7b8c08ed225e82b016ae6c7af441233cd501de26bd0473cd284

  • SSDEEP

    24576:AosbyT7/dkcufT+u7Z+3Qh82GhJUva6k:AosGPdOfqu70RHhJUvQ

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Jn*vMdM0

Targets

    • Target

      23cc4f039287640e9c1f024a852b187a48cc909c381ac7c5bc0eb67403ab477d

    • Size

      805KB

    • MD5

      abd47c31f497c885e32c6f102f178eff

    • SHA1

      22d5dfbed3eff5016557b861404a7da915943042

    • SHA256

      23cc4f039287640e9c1f024a852b187a48cc909c381ac7c5bc0eb67403ab477d

    • SHA512

      ee50bef625be78e9390b6239b44e16769585cc1492231adf0eb4a6f6875d466ae75a9a29ceaec7b8c08ed225e82b016ae6c7af441233cd501de26bd0473cd284

    • SSDEEP

      24576:AosbyT7/dkcufT+u7Z+3Qh82GhJUva6k:AosGPdOfqu70RHhJUvQ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks