Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    NEW ORDER.rar

  • Size

    651KB

  • Sample

    240418-vk239sbc3s

  • MD5

    0db5fd892ff98e5ee7f079d69e5ee579

  • SHA1

    d3d2403719b7ff202cbb7c1dbecc9934a3d8e44c

  • SHA256

    4917724a9a203983bc44a1d605d3ef09b074a9ef65adb01b2b28e49822fe7cf1

  • SHA512

    6c4de990d08155db850d0eccbcc47552a872afd575ecb20c5245af22ad58b7327ded3980490cd201aa18b7b5622025c583e73aa55b5b7f71b95792d692e0d2be

  • SSDEEP

    12288:82quqWl77godZdya8WzUCklrK81xZPhtS95eFOTOU16sNEc:/qk7DdZdzoCklr91jfSjeQaU1N1

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      NEW ORDER.exe

    • Size

      679KB

    • MD5

      f060b9400a263bea044a7789ec1d85d9

    • SHA1

      3e939ea522e4356fbdc15c7e0119366a6369e0c9

    • SHA256

      921ace6c0f27813fa370b65bcaee79824a4e31920dbdfec7652103c60e84cd23

    • SHA512

      ceda146640e354440ffbdbe3b8de48e4c1b7b03654687115b1e320f6c38513bfe00cc5ba5afb5858126bc6a257630980d34fd81f26ae992077330ed30d3a39da

    • SSDEEP

      12288:fH7A3U2WtXkF/gAiCTLY10rcTu0Gm6NHeMdwG+q7Ln2oMIzw4CGDw92kR:UE2OSIUTE14cZ6dp3n2opw/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks