Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    87129f179df8c5e16bb7acdde8dd6c523bfad1db265615de14f4f340be72438d.z

  • Size

    749KB

  • Sample

    240423-bx6gnsbb2x

  • MD5

    e9743a8d6db81c36710a8d0e44875651

  • SHA1

    b5922ca028d2850ef34c829a92332c381fdffc4c

  • SHA256

    87129f179df8c5e16bb7acdde8dd6c523bfad1db265615de14f4f340be72438d

  • SHA512

    99e82680bccb7026d39bb7132089880cfc6b78144d6b18a480cbe24e841bcebb7ace18e9ff7d893a079b35c8870480ef5d6e4568d2a8f4a502f1182975683ed6

  • SSDEEP

    12288:eeLQl+0fTFdHFycISlxd6kNW86To1V/6wxTESAKX/89KynSqck2P+NBQzVet4Bcp:e/lNLFdHFrISl/f6To/6+zA8GK6wx2go

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      TEKLİF TALEP VE FİYAT TEKLİFİ_xlsx.scr

    • Size

      915KB

    • MD5

      2b931a284adaee1554bb7b6579d3cce5

    • SHA1

      23cb896c2f8416f590ec0cb6b7d7b3b045fc16b0

    • SHA256

      19d65215feee20f606dbdd5a4ed5196a96c6bc925df69ad26684a3221aec0521

    • SHA512

      78d33da30acb20d3142f4112b65b97d5ad464641a78931d93021177275aff9b2e5b23c4ac55b103c7e141a19ca4ecf523bf9849276227276edc51eeb855c583d

    • SSDEEP

      24576:wUr9UeNbhoxtlHh19iPoYFcERjKusTWffre1o:3rzbh6H9EoYFcENKBZo

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks