Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    20240403_SUA-000279-23.pdf.tar

  • Size

    41KB

  • Sample

    240509-kqk2tscd48

  • MD5

    b23282b3f9fe1a6d1b8cb0f818dde013

  • SHA1

    db47d04c4054c326820a6b44f0e92b36a75964c3

  • SHA256

    2709e4f356357ea81f0d62620cb8b291dcf2323036fde3d086688f9a4ed047f8

  • SHA512

    f39f379e5aed6dd369deb98bcde98d17bc1b5a3e72f5b55764d0bbe540105f9d86adb8409904bccd5bea2f20893241d649891552357262c6b82a932d7937ddba

  • SSDEEP

    768:z0zgBwjWAZGc8NnKwiQlPQcUyO0ljLecJh:3YqNnKwNocUyO0

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      20240403_SUA-000279-23.pdf.tar

    • Size

      41KB

    • MD5

      b23282b3f9fe1a6d1b8cb0f818dde013

    • SHA1

      db47d04c4054c326820a6b44f0e92b36a75964c3

    • SHA256

      2709e4f356357ea81f0d62620cb8b291dcf2323036fde3d086688f9a4ed047f8

    • SHA512

      f39f379e5aed6dd369deb98bcde98d17bc1b5a3e72f5b55764d0bbe540105f9d86adb8409904bccd5bea2f20893241d649891552357262c6b82a932d7937ddba

    • SSDEEP

      768:z0zgBwjWAZGc8NnKwiQlPQcUyO0ljLecJh:3YqNnKwNocUyO0

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      20240403_SUA-000279-23.pdf.vbs

    • Size

      39KB

    • MD5

      9332a3e3c00a2be6ee157055b9abc8f5

    • SHA1

      d495c9ed2015c481626609fcb53349ccb7734301

    • SHA256

      27621d4524d2feed05a6b2e9e7a46874328060c0c1a39506ddfb08f94c7ea2d3

    • SHA512

      921f161cd6cab441ae3e4cd92be05b3dc42845f5181e1d697d011a224cf9c6b7ae2c75f150f04fb9120a1a108b9898fefffdc132f6f4ddbfc641fa9bf81055b8

    • SSDEEP

      768:u0zgBwjWAZGc8NnKwiQlPQcUyO0ljLecJhd:AYqNnKwNocUyO0/

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks