Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
citat-05022024.xla
-
Size
239KB
-
Sample
240502-mq9fjafa9w
-
MD5
0ad05016cab776ee9fca8d6e0c81adb4
-
SHA1
e3b264d0dc7b739adc067b0cdbd92576e9fe1405
-
SHA256
17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112
-
SHA512
f9df6b90d66fd93c0ef292967fac9d315ed441925256289b748287d045dbc914e03385141744fec76063d5d56582f18f74f304e31aeafd43f27445aa98efe03e
-
SSDEEP
6144:id4UcLe0JOqPQZR8MDdATCR3tSv0W8DNy/tgG794Yhk:lUP/qPQZR8MxAm/S8W8B/G794Gk
Static task
static1
Behavioral task
behavioral1
Sample
citat-05022024.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
citat-05022024.xls
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.folder.ro - Port:
21 - Username:
[email protected] - Password:
R2r76%(3v^H0
Targets
-
-
Target
citat-05022024.xla
-
Size
239KB
-
MD5
0ad05016cab776ee9fca8d6e0c81adb4
-
SHA1
e3b264d0dc7b739adc067b0cdbd92576e9fe1405
-
SHA256
17c6dbd1c5b8e74f918919b871216da29238498712f81b85642c905bc127f112
-
SHA512
f9df6b90d66fd93c0ef292967fac9d315ed441925256289b748287d045dbc914e03385141744fec76063d5d56582f18f74f304e31aeafd43f27445aa98efe03e
-
SSDEEP
6144:id4UcLe0JOqPQZR8MDdATCR3tSv0W8DNy/tgG794Yhk:lUP/qPQZR8MxAm/S8W8B/G794Gk
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Abuses OpenXML format to download file from external location
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-