Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f927f2ce41...18.exe

windows7-x64

10

f927f2ce41...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f927f2ce41569d1d2c5a576d93374ace_JaffaCakes118

  • Size

    863KB

  • Sample

    240419-bd3axabh83

  • MD5

    f927f2ce41569d1d2c5a576d93374ace

  • SHA1

    1493b82cd46be1ef2fb45bc12c432d0bcf175a90

  • SHA256

    1e3432a2d3072ee5958b26e15d97ca1f6734c3522e701682b237544f5eb66645

  • SHA512

    38683269641058931c9f33aa3ea817ecbd1ce66afb353f4e85be3ef19af494016ec81cbbf63d269737a07a9f6a0f2feda5044183bf0f53d576740b9fce88dcff

  • SSDEEP

    12288:w1cfM/nlPljFQnV40j1yxdTw+MSOVtki1Nv0IeGN+grplH6eUNFje1jwt2NjFoO4:w1Fnl9jFQGdwlOeNv0IIgrXccjwMNjR

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.ifyportal.msratnigbureau.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Ci=q&_lH#LWf

Targets

    • Target

      f927f2ce41569d1d2c5a576d93374ace_JaffaCakes118

    • Size

      863KB

    • MD5

      f927f2ce41569d1d2c5a576d93374ace

    • SHA1

      1493b82cd46be1ef2fb45bc12c432d0bcf175a90

    • SHA256

      1e3432a2d3072ee5958b26e15d97ca1f6734c3522e701682b237544f5eb66645

    • SHA512

      38683269641058931c9f33aa3ea817ecbd1ce66afb353f4e85be3ef19af494016ec81cbbf63d269737a07a9f6a0f2feda5044183bf0f53d576740b9fce88dcff

    • SSDEEP

      12288:w1cfM/nlPljFQnV40j1yxdTw+MSOVtki1Nv0IeGN+grplH6eUNFje1jwt2NjFoO4:w1Fnl9jFQGdwlOeNv0IIgrXccjwMNjR

    Score
    10/10
    agentteslacollectionkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks