Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0bd9318b718dd0818f24fd4b19bac1732f9fb26d337b0825eecb7cdbbbc6dbe5

  • Size

    1.1MB

  • Sample

    240721-bfjlkssbmg

  • MD5

    4f1c653f2971b30ea8b657753bf89e74

  • SHA1

    c1ed98af6e4905b056fc2fdb793d6e9ddb7e46a8

  • SHA256

    0bd9318b718dd0818f24fd4b19bac1732f9fb26d337b0825eecb7cdbbbc6dbe5

  • SHA512

    d083ea01bac5bc5bbf5fbe1b3f87e9463b4134da2084851c7d1b8f209f3daab4c694d4924976ff9a2f8463c14f567061975c8d07d4a983aed85d582703d9b2db

  • SSDEEP

    24576:02BAYw7Qvvv69RXLj4ug+f6Isx/7oK1q7:02BAYicmLjVbSIhH7

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.taqwaknitwear.com
  • Port:
    587
  • Username:
    porag@taqwaknitwear.com
  • Password:
    PGZ=5p?DmAtX
  • Email To:
    wsmith02157@gmail.com

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.taqwaknitwear.com
  • Port:
    587
  • Username:
    porag@taqwaknitwear.com
  • Password:
    PGZ=5p?DmAtX

Targets

    • Target

      0bd9318b718dd0818f24fd4b19bac1732f9fb26d337b0825eecb7cdbbbc6dbe5

    • Size

      1.1MB

    • MD5

      4f1c653f2971b30ea8b657753bf89e74

    • SHA1

      c1ed98af6e4905b056fc2fdb793d6e9ddb7e46a8

    • SHA256

      0bd9318b718dd0818f24fd4b19bac1732f9fb26d337b0825eecb7cdbbbc6dbe5

    • SHA512

      d083ea01bac5bc5bbf5fbe1b3f87e9463b4134da2084851c7d1b8f209f3daab4c694d4924976ff9a2f8463c14f567061975c8d07d4a983aed85d582703d9b2db

    • SSDEEP

      24576:02BAYw7Qvvv69RXLj4ug+f6Isx/7oK1q7:02BAYicmLjVbSIhH7

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.