Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe

  • Size

    974KB

  • Sample

    240406-bxec7ahb36

  • MD5

    8fac5e61273c3395030fd331b536db36

  • SHA1

    7ba5e0f8b6fe94a088c4dd45484f83e2134a54f2

  • SHA256

    aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0

  • SHA512

    e8019cd9023875d491a9b9da8fc1322291b3e473ce168ddf0776ebed9d80354d15a6b0ab4233e90a4840075495950ac85e94d02072c41f3efed3c0892dc3b860

  • SSDEEP

    24576:xRmJkcoQricOIQxiZY1iaSpxt+GY9P1I+1oS:+JZoQrbTFZY1iaSpxtF23Z

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0.exe

    • Size

      974KB

    • MD5

      8fac5e61273c3395030fd331b536db36

    • SHA1

      7ba5e0f8b6fe94a088c4dd45484f83e2134a54f2

    • SHA256

      aee7679d622bef3608f1e4902ec91728c672cbbc1af0b49d9ff8f78467f255d0

    • SHA512

      e8019cd9023875d491a9b9da8fc1322291b3e473ce168ddf0776ebed9d80354d15a6b0ab4233e90a4840075495950ac85e94d02072c41f3efed3c0892dc3b860

    • SSDEEP

      24576:xRmJkcoQricOIQxiZY1iaSpxt+GY9P1I+1oS:+JZoQrbTFZY1iaSpxtF23Z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks