Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    order list_P.O_5103497.exe

  • Size

    743KB

  • Sample

    240327-re6ygsdg22

  • MD5

    d0252090a4635accf6b38b021f821342

  • SHA1

    7c4854217a062c7f64475f6eebfa689f8ed5280e

  • SHA256

    7171159688e2f33a0545f09701d5d20ac73314cefc2cef8b62e8d4632fa650b3

  • SHA512

    eb96c83dd9b32c5dc3d8fc730258a61de4937ab3270299cbfe497322c33f251254f18a3e0bcf83f2fb54697b7f2b75e72f3b52d800501fe8420bd64ecefa4bf1

  • SSDEEP

    12288:Zk8ayww0wbsh5C9WLj+LYVum1smJLlSoRzOPRsLzwU+0Rs20D26WVOqjRoN:haj+sh5mW3+IumG0LlS4zCRsLlRs20Dp

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.nogamobilya.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    121121.1.noga!

Targets

    • Target

      order list_P.O_5103497.exe

    • Size

      743KB

    • MD5

      d0252090a4635accf6b38b021f821342

    • SHA1

      7c4854217a062c7f64475f6eebfa689f8ed5280e

    • SHA256

      7171159688e2f33a0545f09701d5d20ac73314cefc2cef8b62e8d4632fa650b3

    • SHA512

      eb96c83dd9b32c5dc3d8fc730258a61de4937ab3270299cbfe497322c33f251254f18a3e0bcf83f2fb54697b7f2b75e72f3b52d800501fe8420bd64ecefa4bf1

    • SSDEEP

      12288:Zk8ayww0wbsh5C9WLj+LYVum1smJLlSoRzOPRsLzwU+0Rs20D26WVOqjRoN:haj+sh5mW3+IumG0LlS4zCRsLlRs20Dp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks