Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ungziped_file

  • Size

    749KB

  • Sample

    240415-qlrxgahf5w

  • MD5

    2cb429d144a84ae31ac8ecf48fa862fb

  • SHA1

    379f1f62d047fa603ea0b933b526ed8ce9388be9

  • SHA256

    2c06313c7db4b165b18717a7998239c5e64a9ddfbd7f3b57fc5cc11a973ac07f

  • SHA512

    07dcce7087439d49084786eb54a98a898e4764c69d1850a5a0e7b72cd73f27408ffec7089e4730c680cf8e4b3b7fbc44981dfacad6d449ec785c32504d2b7d9f

  • SSDEEP

    12288:FayNBwyr2HPWyd3eOC6hcO+JeQB9B279Avons1puKUoeRSs39:IyNCyrePWceOC6P8v844oer9

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.leema.lk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    V[3ALIg~jl}T

Targets

    • Target

      ungziped_file

    • Size

      749KB

    • MD5

      2cb429d144a84ae31ac8ecf48fa862fb

    • SHA1

      379f1f62d047fa603ea0b933b526ed8ce9388be9

    • SHA256

      2c06313c7db4b165b18717a7998239c5e64a9ddfbd7f3b57fc5cc11a973ac07f

    • SHA512

      07dcce7087439d49084786eb54a98a898e4764c69d1850a5a0e7b72cd73f27408ffec7089e4730c680cf8e4b3b7fbc44981dfacad6d449ec785c32504d2b7d9f

    • SSDEEP

      12288:FayNBwyr2HPWyd3eOC6hcO+JeQB9B279Avons1puKUoeRSs39:IyNCyrePWceOC6P8v844oer9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks