Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    13052024_1638_RFQ_CHITA_CCPP_LNG_TO_PWR_00524_Rev0.rar

  • Size

    660KB

  • Sample

    240513-t5g36afb32

  • MD5

    6469a4fff82db19036700e6cec198ed7

  • SHA1

    ecc0190e92d5df49650d380b7b06534d2191469f

  • SHA256

    5a05f7c50928cffc850b084067bce03ab042038a12fe8e8c4c5b183cef4420de

  • SHA512

    0af09ed38ad990abd7c189a775d2eb17de078aaf3358ccf7d38f5d7f94407d3f619c7ad3313e2d9deccf4e3610b2d64f180fcf9c0ea172bf6536f6054a0467c6

  • SSDEEP

    12288:lcP1JjUC2gLFNl3TKmyOvYq06G9JeQ/9qicEzqyDJj+qDvl+Rxuiq6I:lcP1T2gLF3KqvuJeQ13sGFpvey6I

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      2405_CHITA_PJT_EQUIP_SPECS_DETAILS_Rev0.exe

    • Size

      604KB

    • MD5

      3324de16eb0e440903c72cbee9a45745

    • SHA1

      9ad4c703faa1fb94f6964c4d58f9c12093d1476b

    • SHA256

      faa9ce28bfc9c5fb0269a22b8aa8254cf41b92fef96b777f96bee32c3ccfaf31

    • SHA512

      5448f0e94cf05463e1da895d08c2a2eb65d2290d84e96afc9e4aa0c2f6cf1ed2300ad5c135b7c78ca513eb1d6f3706afe9188488c6046538627b681b88648c9f

    • SSDEEP

      6144:awHYKFddt6tm77A6KHV0aB/6bt6pjeWdok8/7AaRuTJ+lVO3DVX4EM5h8wk/hxlY:aiFZhAH10EjNRb8DFSuOOJnHYj9o

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      e227391c7ff576135eac4871e78ebe2d

    • SHA1

      85d4bdbb79bdc47095ca35ed2141b2e64d029218

    • SHA256

      edf12a3040cff0d801a86c02313d6605b41d766807f3dcb261754cf01b4e14b9

    • SHA512

      06f1b65dd980c6aac17518faf34d200453fedf893efa01bfc71128ccb1a70abcd7165f581c9789caf80776fac313a4e754df7b58f7467930a666de37b55396a6

    • SSDEEP

      192:asA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:hR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10
    • Target

      EDDS_EQUIP_DESIGN_DATA_DETAILS_Rev0.exe

    • Size

      607KB

    • MD5

      702c581aaefd114b161130142c695381

    • SHA1

      b78506b3f3f3d93a83df957b83e1bd0559dd85c2

    • SHA256

      2b39449b90e5e0ae5fbd4c725a739be26df6f537628e0c8830b72ea93fe19fff

    • SHA512

      359450e8f5652e669b4388f5f3e583bcc9c5341722da10119e9b1b4c8e603a105e8a89efbdf3a6614fc6a4c96577bf8813043dd5c273dd2f9b826d6ca0c9f1e0

    • SSDEEP

      12288:OiFZhAH10EjNRb8D/Jb4bD7t50BJTSI3/ALph65:DFZ2HRjNK/6dKeIPAK5

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      e227391c7ff576135eac4871e78ebe2d

    • SHA1

      85d4bdbb79bdc47095ca35ed2141b2e64d029218

    • SHA256

      edf12a3040cff0d801a86c02313d6605b41d766807f3dcb261754cf01b4e14b9

    • SHA512

      06f1b65dd980c6aac17518faf34d200453fedf893efa01bfc71128ccb1a70abcd7165f581c9789caf80776fac313a4e754df7b58f7467930a666de37b55396a6

    • SSDEEP

      192:asA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:hR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks