Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3a23505e90df25fe34b92eebb73fa08d4571d3f12b12807711325d16a3ec2db9.xlsx

  • Size

    14KB

  • Sample

    240529-bpskvadc85

  • MD5

    613bc31f40a70c787c70e5fa82ba3da6

  • SHA1

    d689a647a7254e5a9d349a61e951c0629b43a473

  • SHA256

    3a23505e90df25fe34b92eebb73fa08d4571d3f12b12807711325d16a3ec2db9

  • SHA512

    2495e1cc29f8cc5749365574637dc684c48e2fba9013b4b0b226208b793690951e35ceb813723d72343128c853f1705c3964a4a36bc529bbf4ef1e8f50ebab17

  • SSDEEP

    384:q4hFXIZwODvsHq7EVKn9keeGZkauRqKos/FUK:5hNIjJHnue/ka1KosuK

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      3a23505e90df25fe34b92eebb73fa08d4571d3f12b12807711325d16a3ec2db9.xlsx

    • Size

      14KB

    • MD5

      613bc31f40a70c787c70e5fa82ba3da6

    • SHA1

      d689a647a7254e5a9d349a61e951c0629b43a473

    • SHA256

      3a23505e90df25fe34b92eebb73fa08d4571d3f12b12807711325d16a3ec2db9

    • SHA512

      2495e1cc29f8cc5749365574637dc684c48e2fba9013b4b0b226208b793690951e35ceb813723d72343128c853f1705c3964a4a36bc529bbf4ef1e8f50ebab17

    • SSDEEP

      384:q4hFXIZwODvsHq7EVKn9keeGZkauRqKos/FUK:5hNIjJHnue/ka1KosuK

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks