Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    citat-05022024.xla

  • Size

    239KB

  • Sample

    240502-mq9fjafa9w

  • MD5

    0ad05016cab776ee9fca8d6e0c81adb4

  • SHA1

    e3b264d0dc7b739adc067b0cdbd92576e9fe1405

  • SHA256

    17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112

  • SHA512

    f9df6b90d66fd93c0ef292967fac9d315ed441925256289b748287d045dbc914e03385141744fec76063d5d56582f18f74f304e31aeafd43f27445aa98efe03e

  • SSDEEP

    6144:id4UcLe0JOqPQZR8MDdATCR3tSv0W8DNy/tgG794Yhk:lUP/qPQZR8MxAm/S8W8B/G794Gk

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.folder.ro
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    R2r76%(3v^H0

Targets

    • Target

      citat-05022024.xla

    • Size

      239KB

    • MD5

      0ad05016cab776ee9fca8d6e0c81adb4

    • SHA1

      e3b264d0dc7b739adc067b0cdbd92576e9fe1405

    • SHA256

      17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112

    • SHA512

      f9df6b90d66fd93c0ef292967fac9d315ed441925256289b748287d045dbc914e03385141744fec76063d5d56582f18f74f304e31aeafd43f27445aa98efe03e

    • SSDEEP

      6144:id4UcLe0JOqPQZR8MDdATCR3tSv0W8DNy/tgG794Yhk:lUP/qPQZR8MxAm/S8W8B/G794Gk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Abuses OpenXML format to download file from external location

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks