Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
74a24918d2d23cf37ea8d542136187fdcd15aaf97792a36da44c01dd0d20555e
-
Size
636KB
-
Sample
240531-ceernsbb2w
-
MD5
8028f08408efe10f4c09a69d30d321ae
-
SHA1
efd04813d698225c42f917ec47d7392c46575a08
-
SHA256
74a24918d2d23cf37ea8d542136187fdcd15aaf97792a36da44c01dd0d20555e
-
SHA512
8338e3ffca188cbba0cebf9e962411a98a53a01a11481888697ecc091057263c118671ae2f955fbcb1beddc753003c7c0028c2aa2018e358006b67b0d3505e7f
-
SSDEEP
6144:rxwhnR5/oeD4doneNrPrOvnnjx0iqDEl8gjgsZwyMkGJaYqSMOk/UqGoLCbby5ec:rxwpCJet5STiIk/au5KjwDnKz46vur
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
phoenixblowers.com - Port:
587 - Username:
[email protected] - Password:
Officeback@2022# - Email To:
[email protected]
Targets
-
-
Target
a73bde5818cf35b57af18ef482d69a39cf93ab332eb5a1301042c9b69e74dcc9.exe
-
Size
661KB
-
MD5
204083e5ee75f801a3aad0078f433cd8
-
SHA1
386e1a6daa01c95815eb3bd46304cac26dc66f2b
-
SHA256
a73bde5818cf35b57af18ef482d69a39cf93ab332eb5a1301042c9b69e74dcc9
-
SHA512
40e278a8bb6cf2253029d46ed1aa01355ae67f2f9b55af704631b4e8ab0520296ce0f53cda772ac5b67c183374115e83700362deef07bce8a2d3b7358546d878
-
SSDEEP
12288:AQtYJL/6H3BGyBRlgouuplkMUgI1OAPQZ4GcDbMpY2MxhY:VYdCRTBRlgouBs4PQZecMHY
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-