Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    47d706ae59ad625e490bcd6b00b08beb98d70b82b641ded9d8784445e3ca6624

  • Size

    696KB

  • Sample

    240516-bt764aec66

  • MD5

    62929ece1afcdcb73384fe57b7da2ac2

  • SHA1

    f9e3cf54896652096e43186087a492d0173010e3

  • SHA256

    47d706ae59ad625e490bcd6b00b08beb98d70b82b641ded9d8784445e3ca6624

  • SHA512

    d3934b8aa516eecd190596bd1082547d18b1c1aa399354cbc6587d0c6094d3d9ffc10f8f2be21215478e54b1a262ecdfee46967c6439a28d04c7f4d7247e7fac

  • SSDEEP

    12288:GOu2iN3skSKSIwjP7gxO2MGytqa/uiTRCryfdJxnAQmcFR58rzIuYAZLR2SteLIh:GJ19JSNIg0jMOa/ucRCr8J6cFR58/Igp

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://eu-west-1.sftpcloud.io
  • Port:
    21
  • Username:
    dc2d3038d5c743319b4d84cc320c4fad
  • Password:
    xmFBI1ctaq8b1qv5SWZ3AOzpG1Yb6y2K

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    eu-west-1.sftpcloud.io
  • Port:
    21
  • Username:
    dc2d3038d5c743319b4d84cc320c4fad
  • Password:
    xmFBI1ctaq8b1qv5SWZ3AOzpG1Yb6y2K

Targets

    • Target

      47d706ae59ad625e490bcd6b00b08beb98d70b82b641ded9d8784445e3ca6624

    • Size

      696KB

    • MD5

      62929ece1afcdcb73384fe57b7da2ac2

    • SHA1

      f9e3cf54896652096e43186087a492d0173010e3

    • SHA256

      47d706ae59ad625e490bcd6b00b08beb98d70b82b641ded9d8784445e3ca6624

    • SHA512

      d3934b8aa516eecd190596bd1082547d18b1c1aa399354cbc6587d0c6094d3d9ffc10f8f2be21215478e54b1a262ecdfee46967c6439a28d04c7f4d7247e7fac

    • SSDEEP

      12288:GOu2iN3skSKSIwjP7gxO2MGytqa/uiTRCryfdJxnAQmcFR58rzIuYAZLR2SteLIh:GJ19JSNIg0jMOa/ucRCr8J6cFR58/Igp

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks