Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    57724fb6ed72763c87c56abab1acaf92.bin

  • Size

    207KB

  • Sample

    240516-c72rxaha82

  • MD5

    367ad54ee8da4ea9811940a18db2117a

  • SHA1

    cae8ba22006d193c3a39a3699bb414bc066570ef

  • SHA256

    e065b159b6204e982f96d2633ee450f52ef2adcda327656545eeb3160b4233e3

  • SHA512

    56d3247125154666359e23a59a38b3452b8c60a2584cbc28f0e7ede9e4055ffccdbd37a72c56c4c58207e1dfb0d4cc7fdcf00dbfc699fee582500b24a2e325a0

  • SSDEEP

    6144:vG2icGbM/5QNcMyvV77PS9wrAyilSnBjnF2GeEqw0gr6ki53:7V5BRU9S3eEqw0gro53

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      New Order n. 4533452041, date 14.05.2024.hta

    • Size

      424KB

    • MD5

      41bfa760446594a9ad5d9cb19b9f80ca

    • SHA1

      02ee45b860e1488cb3570d460dbba1e6eae6a226

    • SHA256

      041f367ef3d1d7391917341bb6da3089f2534751a6dc10a8de23cf5196ae6a2d

    • SHA512

      edc7d012d7ba64dee5461e2bd95e072bbec38852ae8d3a449a707f74136d1c8693c359e8bfc6a53b54900897f646fb87a3d7ac2054ff672ed352f30fd1332c5e

    • SSDEEP

      6144:7+4t1fXGwzkAitPzmeI9OQYypkHkSVdtxQ+5iYgbAL0WMhw19+z0yhtHn9eq/+41:7JJv0ayfOb64MRycngoavbN0vBrbRMn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks