Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

27/05/2024, 11:09

240527-m85kasac65 10

27/05/2024, 11:01

240527-m4yaesab34 10

General

  • Target

    AKOUR II - PARTICULARS .1.xlsx.lzh

  • Size

    620KB

  • Sample

    240527-m4yaesab34

  • MD5

    9fb538f2672ef436c2696039dc549a06

  • SHA1

    d2acc37cd1363c554b8437f7bb21a9fd02dab1b9

  • SHA256

    5efb21277d8165421f6864fbf18245b3d644f39b7b01acff2b000f0e1acc05e4

  • SHA512

    cf2d34de2f09e086b419790f42136a76ff2f31f358841806bb70a2c00330a1e4a3414ad05d76d9047047ffea76f91bd07bb30cfbb2fdedb157c063b6a4f61b8e

  • SSDEEP

    12288:5iKQuuOKHRYNTP7WKNAl5aASD/K1v3qBYLR2IC1cSq1l3:AKD7KHRkTts5IKrNqq1p

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    beirutrest.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    9yXQ39wz(uL+

Targets

    • Target

      AKOUR II - PARTICULARS .1.xlsx.scr

    • Size

      643KB

    • MD5

      36ad2c5dfb781a00c608398ac31b14fe

    • SHA1

      ddbcc7d4febadba0e43223c843b14f643fb94acb

    • SHA256

      97c58cd9c880ee1725933fc5af4c64c39ef44ca959199121691be3fd4af3fb2f

    • SHA512

      b35cb319299e3e745e59ec7299921729f68e25fa81b37196824057caa0e030c114c3516092d0e30b5e09178d3fb14830361070a65ed30fa4e023f51a129b12db

    • SSDEEP

      12288:luZrYCFd6xJZIpOnjq6nd26/vlRnlm92BB31b0v24MHn69bJE6fYm8rPasqrmz:Y81xrPjdw6/vjk8rFYv24oniG2YVtLz

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks