Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
02082024_0154_08102021_Petikan segera.08.10.2021.xlxs.Gz
-
Size
423KB
-
Sample
240802-cbt27atdlh
-
MD5
783f979830923d615f534254d12d5f30
-
SHA1
15a6a72543610a22e7fa376d2d9dbe925a22ff44
-
SHA256
f83bfb3ecce4aaa00303143f0e039d77cc153626211ff27ea0f6d68e48456d9c
-
SHA512
5d850fa1715041b7ce5add027a190d9a56d5a1483cc5d9e1f9d358dffe821c3cfca2981f5dc932aca8755cfa5ab1adca408cb49ebbcb43281589aefa3884d785
-
SSDEEP
12288:lWwORYe6847mPEh0Owdzh6OIkItNCPUHXnaP:lWjqPS60Ouh9Ik0NiUH3aP
Static task
static1
Behavioral task
behavioral1
Sample
Petikan segera.08.10.2021.xlxs.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Petikan segera.08.10.2021.xlxs.exe
Resource
win10v2004-20240730-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
mosqueboy100
Targets
-
-
Target
Petikan segera.08.10.2021.xlxs.exe
-
Size
498KB
-
MD5
b6a26b6912def25202d5c5b3a7cef7ef
-
SHA1
c61a6ca3cf061a2ba382a77d5e697f1dea1e99f2
-
SHA256
e4c04b184aebbb0c4cd7533d2432c5a3699ea15e3fdebcaeec49edfea97cfcf1
-
SHA512
754d0f094e3860f5196a041d841ffa7990d1b6a32749dfa5d13920fa13d1956441fb0bea097ee410da84da6d1f67c72a4ecb1e315ca7dc7dd86734e83bdf4f69
-
SSDEEP
12288:rADyL9pD3+r4m5GEh0AGdu768pSIt/cPU0Xnt0m:0+L7DWY60AB7VpS0/AU03t0m
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1