Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2bb6d3d19f8ee34a6a8b5d45a8216473.exe

  • Size

    639KB

  • Sample

    240314-ktap9sfe51

  • MD5

    2bb6d3d19f8ee34a6a8b5d45a8216473

  • SHA1

    801c35c9425a3f374288e154d98d00f43232f5c4

  • SHA256

    ad77bb97aeb66fe1b701641d3753bdeaac0f6f6ba2976903dd7eec0a44d87e6f

  • SHA512

    2dbc9094ffa004844d4b78abf48f4eba2c03591887d5a2097cc503c7723ed824dc9076253391efe2ed32c40bd71a70154504cd766f53874d2f855c75873bcbd7

  • SSDEEP

    12288:9sJTENl3sNOwoLxXqEy6CLQlkjPlyivZvqSOaF+SB:+xENlc0dxXqENZipY3+R

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.kabeercommodities.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    w{A6H.o&sz%g

Targets

    • Target

      2bb6d3d19f8ee34a6a8b5d45a8216473.exe

    • Size

      639KB

    • MD5

      2bb6d3d19f8ee34a6a8b5d45a8216473

    • SHA1

      801c35c9425a3f374288e154d98d00f43232f5c4

    • SHA256

      ad77bb97aeb66fe1b701641d3753bdeaac0f6f6ba2976903dd7eec0a44d87e6f

    • SHA512

      2dbc9094ffa004844d4b78abf48f4eba2c03591887d5a2097cc503c7723ed824dc9076253391efe2ed32c40bd71a70154504cd766f53874d2f855c75873bcbd7

    • SSDEEP

      12288:9sJTENl3sNOwoLxXqEy6CLQlkjPlyivZvqSOaF+SB:+xENlc0dxXqENZipY3+R

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks