Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9b393a5b9aa98418b6f6d3c6e4da3c2bf57855ffd7823f3048b834397bdad29b

  • Size

    2.2MB

  • Sample

    240508-b479vabh8t

  • MD5

    32c9bf9753af06cbd847f202815edcb4

  • SHA1

    a27e2dcfcec9696f516358ba5caf5e02d459afdf

  • SHA256

    9b393a5b9aa98418b6f6d3c6e4da3c2bf57855ffd7823f3048b834397bdad29b

  • SHA512

    db15de5326c812e2998f176a58d59719a4a032387fea16f0fa82963613b4b87121bbaf98f275aefd4408671395fc4ca1513cb52390695e83441487c152f3a78c

  • SSDEEP

    49152:UNwIN6eGO35t6XdlSajB0ZH+C3b+Ph68ImXN:Uim6ddnjsHTLyhHIU

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.sturmsgroup.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    y[/wk46uE}y(|Xn[

Targets

    • Target

      ödeme onaylama.exe

    • Size

      2.3MB

    • MD5

      e05072707e8bf8693a2fdbbf09ee5171

    • SHA1

      aa419828400cf6b684382a8a0d43d9551bafacb5

    • SHA256

      07c587b55d31f915af93c53896bce53e79d91a72609590f37acfa4457315dff4

    • SHA512

      1b8db09a65831e7cc6688feab6a1ab45612b28db0be72404ecd77fd67462ea8915742941dc32b65a7cb5bc689f7c18da1d1602a68f50b778da94bfb6d276c945

    • SSDEEP

      49152:Figf68sOtnjOXpR4k9lYFHA2tZwLRm8qyt:Fio6Lpl94HdjsRjq

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks