Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
STOPA 2024-0181.IMG
-
Size
1.2MB
-
Sample
240508-leh9jagc36
-
MD5
3b2bcfd921f958f111db8972382aaa8e
-
SHA1
811793a232d194dbdf2eba8f5db3521ea1cd213c
-
SHA256
190ef363fcd30d19582d57e1401d07e91ad586f764e7c0ccb5dc5a0df577510b
-
SHA512
7a233677cb76bb5ab1bfec282f9a34ec60970fe27e771139ad9a0d0462bbf2ec84977ccde2a7a954e22d532ec800942457fbcd2322492b295d98fdfa4102b536
-
SSDEEP
192:aJ2IExRIOoWa+tZFy6AA+1WHfa1vD7nSruBun2m:8jURmW7y6AASOE7nSr0uB
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.blachownia.pl - Port:
587 - Username:
[email protected] - Password:
Zamowienia-2017 - Email To:
[email protected]
Targets
-
-
Target
STOPA 2024-0181.vbs
-
Size
10KB
-
MD5
420b31e03f0aac291050345120dbb1c8
-
SHA1
e0968e51e1f6d8f3335ef9b9d5dea2c3f2253079
-
SHA256
9cec82087a35cfbb1b0097af9f6113b80cdbcdf9c73383a412dbf8408f37dfeb
-
SHA512
b5d3d8a5fc03ffb54a166b30f4bcdb1073fbdc08df5013b170321199f1939de630f596d058f44a5c4d9bae8f7f3130a6cd3b1d5a11d7f1d9753aee926f0dd7ac
-
SSDEEP
192:LIOoWa+tZFy6AA+1WHfa1vD7nSruBun2mF:LmW7y6AASOE7nSr0uBF
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-