Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11.img

  • Size

    1.2MB

  • Sample

    240523-r8gkpaeh84

  • MD5

    cdf2d0ec69cda136a182b17c4e272337

  • SHA1

    3821755c637e4b1bee6053dbbb8cddf26ab553e3

  • SHA256

    d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11

  • SHA512

    482ef8aa1120c6ee5e1b5d68a1d2e957a94fbb73c39ed3dcc0f0ceaa4b35a7b2c3d8116cdbd90458240cfa454f4fb7fb07443f8dcf62c3cacceee85d17fec060

  • SSDEEP

    192:3jY2yDwVFJs7R6/F53IYG8NJu0aTV/cFaFrmxpCz6cf:1/Jh/FNImyfTV/xrmxpCz6c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.medicalhome.com.pe
  • Port:
    587
  • Username:
    info@medicalhome.com.pe
  • Password:
    MHinfo01
  • Email To:
    og.bahd@yandex.ru

Targets

    • Target

      SKIIP 83EC125T1 22-0-05-24RQ.vbs

    • Size

      5KB

    • MD5

      62bc79cdf5d55f891ae6d2a662cb87fc

    • SHA1

      2ab352feb12da98eca4c5ec9ce4b349f5731ab50

    • SHA256

      d14ef42bd2f3ecb7ff2e7ea8b7fd79b06f5b048c2f181381b5f8b790b7228f3b

    • SHA512

      1335d32fa999b5f3729f0b94caf214e09b78c9f3108c05e8fb6fddb828f7d8049a17c2e1b72ca12203ebdda0141d22c326e1986057677fdb9efe6970638c7db2

    • SSDEEP

      96:QsLisJvmYz2W6/F5J9eI8L7YMH8NJPW0agOVTLU5VFPB5Gv9rmJ/pCz6cfp:QJs7R6/F53IYG8NJu0aTV/cFaFrmxpCv

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.