Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    576313f5dec1116207e98c2a8613741adeccde7288d60d76f1b1e38a98aa9949

  • Size

    2.3MB

  • Sample

    240507-bvxfzsfb82

  • MD5

    52eff63e9d2d1147683710f62d568d1c

  • SHA1

    c932ff375cc05eb0c5a7c84ff58ddf8307382fb3

  • SHA256

    576313f5dec1116207e98c2a8613741adeccde7288d60d76f1b1e38a98aa9949

  • SHA512

    16daa56f09dfc6e9b5c225ee3cee9a34aa035c4310da972327222e6ccbb6a2e64da7904e83a512c26aa42da12979f16263250757d890c836924430e263f3cffb

  • SSDEEP

    49152:qquptLYadkuizd5s7Ao/KyWpExzxdAGtSAUeK6JDXnPJv/POjo9n:/ujLhdAzelCyWpE5xO7AUeK6p/JmjC

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gencoldfire.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    dsznE{%*a*0gL1r3

Targets

    • Target

      576313f5dec1116207e98c2a8613741adeccde7288d60d76f1b1e38a98aa9949

    • Size

      2.3MB

    • MD5

      52eff63e9d2d1147683710f62d568d1c

    • SHA1

      c932ff375cc05eb0c5a7c84ff58ddf8307382fb3

    • SHA256

      576313f5dec1116207e98c2a8613741adeccde7288d60d76f1b1e38a98aa9949

    • SHA512

      16daa56f09dfc6e9b5c225ee3cee9a34aa035c4310da972327222e6ccbb6a2e64da7904e83a512c26aa42da12979f16263250757d890c836924430e263f3cffb

    • SSDEEP

      49152:qquptLYadkuizd5s7Ao/KyWpExzxdAGtSAUeK6JDXnPJv/POjo9n:/ujLhdAzelCyWpE5xO7AUeK6p/JmjC

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks