Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9079ad27c74ba06204d72c6a182d7e389eb772c5bc80944d48a7afa2f1e1d00a

  • Size

    737KB

  • Sample

    240625-cdl5csxhlp

  • MD5

    0d46d709a626c186dca1450cfffdf3cb

  • SHA1

    69b7ee5476195292de09a124982c93c0cd147f54

  • SHA256

    9079ad27c74ba06204d72c6a182d7e389eb772c5bc80944d48a7afa2f1e1d00a

  • SHA512

    3c151656cdd1442c247fd965e16f684eba05dc8a867962216aa9eaa6c2f609a01c667bf8c8edce9b731171b071bd70b9acdbc7357fc282de0bee41daa11590a1

  • SSDEEP

    12288:gYV6MorX7qzuC3QHO9FQVHPF51jgcCEpn2I0u4R78csiUdCdN4REFpYdc+DOqb:/BXu9HGaVHLn2zu4Rcr4d+RgpYa+DOqb

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7062858527:AAEM0BoHdG7fMsfm9R9w93alfsoiCiWrMxM/

Targets

    • Target

      9079ad27c74ba06204d72c6a182d7e389eb772c5bc80944d48a7afa2f1e1d00a

    • Size

      737KB

    • MD5

      0d46d709a626c186dca1450cfffdf3cb

    • SHA1

      69b7ee5476195292de09a124982c93c0cd147f54

    • SHA256

      9079ad27c74ba06204d72c6a182d7e389eb772c5bc80944d48a7afa2f1e1d00a

    • SHA512

      3c151656cdd1442c247fd965e16f684eba05dc8a867962216aa9eaa6c2f609a01c667bf8c8edce9b731171b071bd70b9acdbc7357fc282de0bee41daa11590a1

    • SSDEEP

      12288:gYV6MorX7qzuC3QHO9FQVHPF51jgcCEpn2I0u4R78csiUdCdN4REFpYdc+DOqb:/BXu9HGaVHLn2zu4Rcr4d+RgpYa+DOqb

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks