Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe

  • Size

    708KB

  • Sample

    240626-b4rbbszejp

  • MD5

    e0026df83e1aa08616a11d9104faad46

  • SHA1

    1740312c7651b432fa0ab47819919ec034f8c67b

  • SHA256

    f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b

  • SHA512

    6564396ef6b396ae3ee367e6285924d04b4ee2171af4c58c195a61a1a2093adee4baea01e36e58a616fd70257119945666d95f3a943c0e057f1ec66fb64eeb29

  • SSDEEP

    12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcq556I95wyWr5vkTj5+u4Q3lfT1VP9v:lBXu9HGaVHpm5fWrBkToEV71v

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1251110202149699625/eDNZWTFoHBDo8HXw0aunmvGeBWciM4C8KyCpUHy9gEFPn1XyMs30gAsSjfRX6u9Vnuig

Targets

    • Target

      f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe

    • Size

      708KB

    • MD5

      e0026df83e1aa08616a11d9104faad46

    • SHA1

      1740312c7651b432fa0ab47819919ec034f8c67b

    • SHA256

      f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b

    • SHA512

      6564396ef6b396ae3ee367e6285924d04b4ee2171af4c58c195a61a1a2093adee4baea01e36e58a616fd70257119945666d95f3a943c0e057f1ec66fb64eeb29

    • SSDEEP

      12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcq556I95wyWr5vkTj5+u4Q3lfT1VP9v:lBXu9HGaVHpm5fWrBkToEV71v

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect packed .NET executables. Mostly AgentTeslaV4.

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables Discord URL observed in first stage droppers

    • Detects executables referencing Windows vault credential objects. Observed in infostealers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • UPX dump on OEP (original entry point)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks