Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f.exe

  • Size

    2.0MB

  • Sample

    240524-mk6sfsdg4y

  • MD5

    8f184daf4d3d0fac93db93c798e616ed

  • SHA1

    f8c6c99b7e0572347ed1bee3ddb425e31f6cb643

  • SHA256

    97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f

  • SHA512

    652d87c3ce83e960f3aa0edc2b16d8003b8b8a52d6025afb2818303b2d92ea4d123f3269249b751dff3d421ba46f9460d0d3c48be826808bfe4eaae9be21cd3e

  • SSDEEP

    24576:8ynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52AOXuq01dKqOFFSyF8FaE:9jN3CdJ81nEQhs30eouqsrOFXOaE

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7043330881:AAFq19dRSS-89_wbwEvbuucof5Z3tCHG2NY/

Targets

    • Target

      97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f.exe

    • Size

      2.0MB

    • MD5

      8f184daf4d3d0fac93db93c798e616ed

    • SHA1

      f8c6c99b7e0572347ed1bee3ddb425e31f6cb643

    • SHA256

      97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f

    • SHA512

      652d87c3ce83e960f3aa0edc2b16d8003b8b8a52d6025afb2818303b2d92ea4d123f3269249b751dff3d421ba46f9460d0d3c48be826808bfe4eaae9be21cd3e

    • SSDEEP

      24576:8ynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52AOXuq01dKqOFFSyF8FaE:9jN3CdJ81nEQhs30eouqsrOFXOaE

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks