Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9b781f4e9bbd1433c696257ec61de538c7d605921fd71bc92733abc28ba95b53

  • Size

    726KB

  • Sample

    240802-b7hhlataqe

  • MD5

    8afd510bacdd19a51f06c69209ee54c4

  • SHA1

    c85a198a09f62d7ed303ad3d9d14e29ce89f66e4

  • SHA256

    9b781f4e9bbd1433c696257ec61de538c7d605921fd71bc92733abc28ba95b53

  • SHA512

    d0242a2b54bc8f79e65aba59e0c0a27852c64423cc97a7741386fdada30ba190df3d1c90822e170351cba8e0407d32e12474cf4a139a70d5743c5884e4ffe09b

  • SSDEEP

    12288:flRd9Ps/rbtcjJXRX+bQSjnqTfqf/KCboygiEsmRp48A6bbJSbQoZ486VBjl+d/B:jqcjJXRObQS2S6WPFVyFSpKnBU+NcKA

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      NEW ORDER PURCHASE.pif

    • Size

      760KB

    • MD5

      cde7970091a0b3fd19f7f8f3a855b583

    • SHA1

      6c55f16de86b9dc9052c5e2fe2d94ce6d7e79e9e

    • SHA256

      8f58aa2f3549e2b9449f530eb6bf91bb4b0be997b97c65245aeb99baa55fdfb9

    • SHA512

      19bd3514fdf5d0ff6b47268795bd13c03401d6adb74553e578b7bf40b1c5219ebb7fd40c9f587ff8cf1f3a1f7d834ac5cb006c66d0374badc7d897033625cdeb

    • SSDEEP

      12288:zU3929BC4rqhpfVIbQMjRq/3ml/bCoygRFg+48MMOI/bxqbyoZ48oLBbl+d/WDwt:zU89BNuhEbQM62UPjZU/lqjY1ZUW8t

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks