Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2c79efff8958d72ea87da05593ae8e168f7c0e9bcbbc5f73ec390784337e99df.zip

  • Size

    1003KB

  • Sample

    240316-cmq5nshd9y

  • MD5

    919b5bd425ab7d5f075dea732e154502

  • SHA1

    e2ef46ae4e7c52716aa86427ad86a1f06ea74daa

  • SHA256

    2c79efff8958d72ea87da05593ae8e168f7c0e9bcbbc5f73ec390784337e99df

  • SHA512

    d8d4bf05879ae83579303bf3127fe4f1c79dbc6468eee549ce709a8e5d639040885097c9f04448a568a361dcf05bea1b905c78acad12a2fe8150363f08f846c6

  • SSDEEP

    24576:7nX1Vr3eCTE68k1squ/y70/Yvu0DLDP8RFacb8bb2r:zeCTKkqq+yA/YW6T2IP2r

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    hwuo jybd dtga lmyz

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Bibeskftigelserne221.exe

    • Size

      1.2MB

    • MD5

      792dec181c3f286826d04aecd6cf32f1

    • SHA1

      d71c41fd445053571453dd43f8071e058de19ced

    • SHA256

      ec9fe9526ec132e17c934f5b3993f164b8cb5ec15813171c04f63ff563ad4f1e

    • SHA512

      fddd91dc77476ba57be516a4a4893beadcb84cf7d916bc80fda92640ec8a5a6b3e3a3efba72f5d56b9a0af6bf2a8092d40131825ed2c10b99a1367e47c169748

    • SSDEEP

      24576:7BG3e6TOKsix+24/2LoxYHum/1DJQRzEWbo/bwo:dGe6TOiE202sxYOO10UDwo

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Schizopod/Nonmakeup101.Pan55

    • Size

      53KB

    • MD5

      2e56e126a7f68c9dbb6167bfc1cd26c2

    • SHA1

      e45b4e9dff74f0711968994253b8fcaf39a5f8e3

    • SHA256

      b3fb58fdae2d31784f1b1c4f62b2c20a985789de7cb63b6e4748168aac4fb70a

    • SHA512

      15b0861ae57b05cc8906d8706332797da2152d44f16ba4c89da37fc6ec5753d543e890d898ecda384bcf1cf18894291a94262959dd7f395649e220629a814e3d

    • SSDEEP

      1536:Gz9YtlEnPI/VDPvl1vT47lZs98nds/Z5m3:0beDPtBTEaE2/C

    Score
    8/10
    • Modifies Installed Components in the registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks