Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    MV. INDIGO CEFIRO - VESSEL PARTICULARS.pdf.lzh

  • Size

    633KB

  • Sample

    240521-es9v3shc8v

  • MD5

    ebdd1eb8a8a91c9fb1e8254200f04b85

  • SHA1

    86fa474e9695dfd534484016f3390830b4aa224a

  • SHA256

    5c0356d50bcf0927f3dd3ab7709aacc287eb639acf4ac8f7f9d41456b4850315

  • SHA512

    589ae624ecb000decbb891ab22d5ab65107799f42ec5286a6a7ddb230482f8e241313968a024c0a8cc83f5e638224472b8682761de4ecf7b5d7cf8b5d73b4705

  • SSDEEP

    12288:csJXSoOcluukxo2gfVQvjZMs0ShYgd0hVh4DM3Eb03iS/egl83bMCXBY:csNQc4ukxifVIFTduVp3bN/egAMCXBY

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      MV. INDIGO CEFIRO - VESSEL PARTICULARS.pdf.scr

    • Size

      656KB

    • MD5

      c63cebeaae6c25d95a7d3066b93ae1be

    • SHA1

      ac338a3b364333178df8acda49873ad9716a3e9b

    • SHA256

      227b52e8c9ed77b2fe6cec5e09c8898924d157034b5f7ba2bffcb2a3c3cbe949

    • SHA512

      43ee5cd986b92f5124abdf511561af6b0a054b762d268adb976aee8473abfbf23599816ed366b77af5477f78d4de4333e142e1f82cd27dace18071cbd270eb62

    • SSDEEP

      12288:XlYifTcClSW15Xkep2WThbNG0CAu6bCxSexegZo1iCTA6koWn95OyLvqj:2iVll5XTliAu6ORogYiqA6e95OyLCj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks