Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0f2cec6e4a20f7017cbfb9144028fc3c865da826c7e40173128bd51ce91ac579.zip

  • Size

    653KB

  • Sample

    240419-n5d4lsba68

  • MD5

    2c62e05278b182250a15329ed6bbeaaa

  • SHA1

    e3f805348c387b55d68b9016fe3a1783e06bd75e

  • SHA256

    0f2cec6e4a20f7017cbfb9144028fc3c865da826c7e40173128bd51ce91ac579

  • SHA512

    35eb78b7c81be4ea2e597a1bd4d38e3b2d29758768f7d0e274e077edc8a82ed7b1a5250c18b0d8876c098fa302ad18dde0f3e3e3b313de877b6a83b9041a89af

  • SSDEEP

    12288:wK9eJ5i7Bz7Dr8ARWBXk/zEfDKtF3thxdWD6XnT3XU6rP:noJ+DgPByzJHLnLXU6D

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Order MJIMP 008.exe

    • Size

      702KB

    • MD5

      85614b7101c98396ed9fdc14222e563b

    • SHA1

      cbc9f72d36818e6c1918c86bc56178f92802d7b1

    • SHA256

      98206390a847ef2600f916f0076f687d5261ff98ca02b5292fdf44017ca0e006

    • SHA512

      c123cc701be5ac9a667f3b2617fdb25996f6b46b3aca1cac027d14e76fda4d9a71b17031bcc6dbaf2bc5455184e59377fa39d72cccf133d384523419cbd47fa0

    • SSDEEP

      12288:Wb/1eJ5e7nzXD1uARs1XbQfzQfDKDFHtX9dW323tfZXOdaG9uq3kR:Wb/gJgDsR1r4zVXHtBXOf9uqi

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks