Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886
-
Size
759KB
-
Sample
240528-waeewsdf7x
-
MD5
b79f97e4db70037b5bc5151fbe634d93
-
SHA1
81283e71c6dedb7335c0adaa51c0ca3f804638a2
-
SHA256
a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886
-
SHA512
3fab52033ca9ded4e123253bc74912c60fdfc38ee5272df66fd6e77430f460ec13ea3a482df6488bb18c362abf0ec3b155664350f1f5950a2362b0db1bcc48e5
-
SSDEEP
12288:Bz9TjhnjhvWr1NhQCKBtVOrH/ks40Zstp+wSb/YEXk6SvXRyp3Gb5:BzdNnNmXhjaDuR40Z/YokXPIFGb
Static task
static1
Behavioral task
behavioral1
Sample
a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.expertsconsultgh.co - Port:
587 - Username:
[email protected] - Password:
Oppong.2012 - Email To:
[email protected]
Targets
-
-
Target
a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886
-
Size
759KB
-
MD5
b79f97e4db70037b5bc5151fbe634d93
-
SHA1
81283e71c6dedb7335c0adaa51c0ca3f804638a2
-
SHA256
a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886
-
SHA512
3fab52033ca9ded4e123253bc74912c60fdfc38ee5272df66fd6e77430f460ec13ea3a482df6488bb18c362abf0ec3b155664350f1f5950a2362b0db1bcc48e5
-
SSDEEP
12288:Bz9TjhnjhvWr1NhQCKBtVOrH/ks40Zstp+wSb/YEXk6SvXRyp3Gb5:BzdNnNmXhjaDuR40Z/YokXPIFGb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-