Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Payment Advice.zip

  • Size

    653KB

  • Sample

    240417-wza4rsbc2w

  • MD5

    b721ecb7cb904cd4873a163506376826

  • SHA1

    adb6c049e1b556b11d0d25a9be0de10989d5fc01

  • SHA256

    65213a977ea348163508bd4c82895c4945f6091a596334d16bdda6bf25b6f992

  • SHA512

    96df64b9ceed960cd70c913fdaf3a6a4aed0d1aa9cc3f0380f1bd067944f6e61c887a4e3d8a4b455cda62f1fca8aecf6cf745553f92f30da3ce643009b79181e

  • SSDEEP

    12288:sK9eJ5i7Bz7Dr8ARWBXk/zEfDKtF3thxdWD6XnT3XU6rF:LoJ+DgPByzJHLnLXU6x

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.lamcopaper.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    @@Lppc11988

Targets

    • Target

      Payment Advice.exe

    • Size

      702KB

    • MD5

      85614b7101c98396ed9fdc14222e563b

    • SHA1

      cbc9f72d36818e6c1918c86bc56178f92802d7b1

    • SHA256

      98206390a847ef2600f916f0076f687d5261ff98ca02b5292fdf44017ca0e006

    • SHA512

      c123cc701be5ac9a667f3b2617fdb25996f6b46b3aca1cac027d14e76fda4d9a71b17031bcc6dbaf2bc5455184e59377fa39d72cccf133d384523419cbd47fa0

    • SSDEEP

      12288:Wb/1eJ5e7nzXD1uARs1XbQfzQfDKDFHtX9dW323tfZXOdaG9uq3kR:Wb/gJgDsR1r4zVXHtBXOf9uqi

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks