Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0173e9a1c067565afec4c77a50d2e973d2c6d7a2e18070e7bd366b7af6039322

  • Size

    632KB

  • Sample

    240417-r67zvsch25

  • MD5

    967b2a1a4289b52f828724ebc842ce28

  • SHA1

    eb1d6ab3e496c8b353ebe1e59557b8307432820c

  • SHA256

    0173e9a1c067565afec4c77a50d2e973d2c6d7a2e18070e7bd366b7af6039322

  • SHA512

    792f3a894a4e08b50053fc58dfb210ef2a0b099eae07a78e6d6d2d0b58c2a28ed9494f8471db98e70e0e47ff3dfe6a9afbb31f78cd2bed0831cc86d97ad265b1

  • SSDEEP

    12288:yQOzsDpXc3+p8TwpcCf++BADlGM9QcSdmWV3NW7tx+9z52zbt6KcgyWNenF:AzstC+YwpxfjSD0M9QLTAt252zp3cgyn

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pharmacell.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Fatih-2015a

Targets

    • Target

      390742120fc89ba2735772dbb63c0998bdb2d26df99976a5406477c4ffab56c2.exe

    • Size

      669KB

    • MD5

      cb17689f9f2f8ead0450a9fa21ea6920

    • SHA1

      44f2a04f059e94ce47a2da8ed0b175a97e20ddde

    • SHA256

      390742120fc89ba2735772dbb63c0998bdb2d26df99976a5406477c4ffab56c2

    • SHA512

      43d729df8acf4eb2fe56c7432835340214b571a942e12566eef1eab656b7c1e263d3ac6b76087757034294382c90f1f53d3c9b8c83e80783fc868e94e916c76b

    • SSDEEP

      12288:Pz1uPBa5rr1wAM1F0XtZFBlZMMDcrKJSja7kaGPASF:Pua5rvM1FqnFBnMMDTSyoASF

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks