Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118
-
Size
800KB
-
Sample
240404-zz3qkabb86
-
MD5
c2ce115eece7c53ec5b202a0bd4d1778
-
SHA1
8cbb0836da268c35d2ad2691edaa4252134e21af
-
SHA256
e3b438339a4ce2dba793223d9448b8c597080daaaf63bdd94a79079b78cf2fcf
-
SHA512
a1c377449ce676685d30cc5f2cb3fb8c5d78d4c63986003ecc78fae5f2e8c8a77393c03c8bdd83a542a38ba204c297ffc2e9ca74f68424d2cedd71117a462e81
-
SSDEEP
12288:c5vuhhyEdCes6MBL1zm2I4ku0aa8NQR+nENV9wsQu2RS8h4+nxFx/:choM16MBdx078KqiVSfBKGp
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.penavico--cz.com - Port:
587 - Username:
[email protected] - Password:
Fq$L%J((!6
Targets
-
-
Target
c2ce115eece7c53ec5b202a0bd4d1778_JaffaCakes118
-
Size
800KB
-
MD5
c2ce115eece7c53ec5b202a0bd4d1778
-
SHA1
8cbb0836da268c35d2ad2691edaa4252134e21af
-
SHA256
e3b438339a4ce2dba793223d9448b8c597080daaaf63bdd94a79079b78cf2fcf
-
SHA512
a1c377449ce676685d30cc5f2cb3fb8c5d78d4c63986003ecc78fae5f2e8c8a77393c03c8bdd83a542a38ba204c297ffc2e9ca74f68424d2cedd71117a462e81
-
SSDEEP
12288:c5vuhhyEdCes6MBL1zm2I4ku0aa8NQR+nENV9wsQu2RS8h4+nxFx/:choM16MBdx078KqiVSfBKGp
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Nirsoft
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-