Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe
-
Size
708KB
-
Sample
240626-b4rbbszejp
-
MD5
e0026df83e1aa08616a11d9104faad46
-
SHA1
1740312c7651b432fa0ab47819919ec034f8c67b
-
SHA256
f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b
-
SHA512
6564396ef6b396ae3ee367e6285924d04b4ee2171af4c58c195a61a1a2093adee4baea01e36e58a616fd70257119945666d95f3a943c0e057f1ec66fb64eeb29
-
SSDEEP
12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcq556I95wyWr5vkTj5+u4Q3lfT1VP9v:lBXu9HGaVHpm5fWrBkToEV71v
Behavioral task
behavioral1
Sample
f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe
Resource
win7-20240508-en
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1251110202149699625/eDNZWTFoHBDo8HXw0aunmvGeBWciM4C8KyCpUHy9gEFPn1XyMs30gAsSjfRX6u9Vnuig
Targets
-
-
Target
f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b.exe
-
Size
708KB
-
MD5
e0026df83e1aa08616a11d9104faad46
-
SHA1
1740312c7651b432fa0ab47819919ec034f8c67b
-
SHA256
f154ccb1d9e7b8fe43b53c055b89ba3bb6b4626ba307c56225287a4e8495754b
-
SHA512
6564396ef6b396ae3ee367e6285924d04b4ee2171af4c58c195a61a1a2093adee4baea01e36e58a616fd70257119945666d95f3a943c0e057f1ec66fb64eeb29
-
SSDEEP
12288:mYV6MorX7qzuC3QHO9FQVHPF51jgcq556I95wyWr5vkTj5+u4Q3lfT1VP9v:lBXu9HGaVHpm5fWrBkToEV71v
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables Discord URL observed in first stage droppers
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
UPX dump on OEP (original entry point)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-