Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    MalwareBazaar.0

  • Size

    714KB

  • Sample

    240722-m4ccystfmf

  • MD5

    3f7c84c76dfaea941ef90605c1cd21ba

  • SHA1

    992ece1862127ed2ca5ca313238919c329498d24

  • SHA256

    fb37e9bdbfbb7d761432783f5a1c9da901542426bb386bb611c9ac5f2b8ad8fc

  • SHA512

    6d4697e38e5e8ef4aa2f04ed5edd827da9ef20b4b1afa54570fa39187da93f9e947b02f7475ec334e56777f837650d6ba9093af07e55d96e81b6d068dc41d1e4

  • SSDEEP

    12288:yfpWOhxz036s1YPTzJonZtC1bqqAv6vbTwjHsX8f+FIDAM839:yj9036skJWCtqqAowHG5Ft9

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Targets

    • Target

      MalwareBazaar.0

    • Size

      714KB

    • MD5

      3f7c84c76dfaea941ef90605c1cd21ba

    • SHA1

      992ece1862127ed2ca5ca313238919c329498d24

    • SHA256

      fb37e9bdbfbb7d761432783f5a1c9da901542426bb386bb611c9ac5f2b8ad8fc

    • SHA512

      6d4697e38e5e8ef4aa2f04ed5edd827da9ef20b4b1afa54570fa39187da93f9e947b02f7475ec334e56777f837650d6ba9093af07e55d96e81b6d068dc41d1e4

    • SSDEEP

      12288:yfpWOhxz036s1YPTzJonZtC1bqqAv6vbTwjHsX8f+FIDAM839:yj9036skJWCtqqAowHG5Ft9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks