Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Payment advice.rar

  • Size

    630KB

  • Sample

    240422-lyk78saa87

  • MD5

    323112c6f4ace7b2077caf1e795a3eca

  • SHA1

    6d06a24fc5a59362a8e3a7de0e1ea25fe3d349de

  • SHA256

    5702bb1b965e8221c4a7ed02e67095f8b60af404fa72f0693da6affda8a9111a

  • SHA512

    2a2486937b546c20d8d4aa06af3558582d21078c1560e25761e47d6271421b549d1ea07f4bb02f5e99e5338bb9c34057886d5760d684471ec2929edc25bd794a

  • SSDEEP

    12288:ZzywtETm5KwxW2MdMRhYmjaa/m20aVmK/QGYa/qtswpKC6/VgcVs:vtzsJdMXYmOa/m20k33/Wraac6

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.saleo-gomel.by
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Q_gidroadmin_2014

Targets

    • Target

      Payment advice.exe

    • Size

      643KB

    • MD5

      6b73d8b89be4f5712a62ea3529e5db3b

    • SHA1

      9c03cf5d4b296e6ada6ea8a3b04bc0ff3ee536c2

    • SHA256

      e6d6619cfa33dde32b9ef9a3d89e012c095dec3660360fde4ee0471c49ae5a07

    • SHA512

      9e2af059392fd56761dd44621356de015e2b2485e3dd28cf9e82cc24c8516f16b602b367e3bcb52c01adf3c8e6a5836fa15603fbafd6c3cc1e7d5b9a970c5bc3

    • SSDEEP

      12288:U3Oqp+xX5gDn68bZoXmwu9KVuqR2p00LcR9lkjwrkrBKC8i4ZosNYbAEX:U3hgX5gD6XgKkqZ0OGwrk1583T2A

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks