Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    02082024_0154_08102021_Petikan segera.08.10.2021.xlxs.Gz

  • Size

    423KB

  • Sample

    240802-cbt27atdlh

  • MD5

    783f979830923d615f534254d12d5f30

  • SHA1

    15a6a72543610a22e7fa376d2d9dbe925a22ff44

  • SHA256

    f83bfb3ecce4aaa00303143f0e039d77cc153626211ff27ea0f6d68e48456d9c

  • SHA512

    5d850fa1715041b7ce5add027a190d9a56d5a1483cc5d9e1f9d358dffe821c3cfca2981f5dc932aca8755cfa5ab1adca408cb49ebbcb43281589aefa3884d785

  • SSDEEP

    12288:lWwORYe6847mPEh0Owdzh6OIkItNCPUHXnaP:lWjqPS60Ouh9Ik0NiUH3aP

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mosqueboy100

Targets

    • Target

      Petikan segera.08.10.2021.xlxs.exe

    • Size

      498KB

    • MD5

      b6a26b6912def25202d5c5b3a7cef7ef

    • SHA1

      c61a6ca3cf061a2ba382a77d5e697f1dea1e99f2

    • SHA256

      e4c04b184aebbb0c4cd7533d2432c5a3699ea15e3fdebcaeec49edfea97cfcf1

    • SHA512

      754d0f094e3860f5196a041d841ffa7990d1b6a32749dfa5d13920fa13d1956441fb0bea097ee410da84da6d1f67c72a4ecb1e315ca7dc7dd86734e83bdf4f69

    • SSDEEP

      12288:rADyL9pD3+r4m5GEh0AGdu768pSIt/cPU0Xnt0m:0+L7DWY60AB7VpS0/AU03t0m

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks