Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f554eee597d0262cd192e15ecfb61c71746ca2c0bc9948dc7703440e797f802e_JaffaCakes118

  • Size

    685KB

  • Sample

    240417-jykklaba41

  • MD5

    9ff7e0f3a6ba748bc8549cb38ab93971

  • SHA1

    511020c3ff5b7a72c24dce960fb142899e0b65af

  • SHA256

    f554eee597d0262cd192e15ecfb61c71746ca2c0bc9948dc7703440e797f802e

  • SHA512

    2c3e0dc2fb7c2fc9854211036133fba84d9d78e07e693da7346cdbc3d29252f2e802673c099b8b9b540b7b05a8b3ff80fc6561d7d2c1c43cabb594be2073421b

  • SSDEEP

    12288:oeq+PtexJ5ZZcTlQnGODH+7YvNYbMp5KIh4G9SqkYYIJm7JbP:E+P65ZSTlmT4YvNYoWC4G8qLYqm7JbP

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6334555107:AAHjkXdGw4FaaaH1kHZyxe86XPdggmZYH1Y/

Targets

    • Target

      f554eee597d0262cd192e15ecfb61c71746ca2c0bc9948dc7703440e797f802e_JaffaCakes118

    • Size

      685KB

    • MD5

      9ff7e0f3a6ba748bc8549cb38ab93971

    • SHA1

      511020c3ff5b7a72c24dce960fb142899e0b65af

    • SHA256

      f554eee597d0262cd192e15ecfb61c71746ca2c0bc9948dc7703440e797f802e

    • SHA512

      2c3e0dc2fb7c2fc9854211036133fba84d9d78e07e693da7346cdbc3d29252f2e802673c099b8b9b540b7b05a8b3ff80fc6561d7d2c1c43cabb594be2073421b

    • SSDEEP

      12288:oeq+PtexJ5ZZcTlQnGODH+7YvNYbMp5KIh4G9SqkYYIJm7JbP:E+P65ZSTlmT4YvNYoWC4G8qLYqm7JbP

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks