Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

madamwebwi...ts.vbs

windows7-x64

10

madamwebwi...ts.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    madamwebwin7MPDW-constraints.vbs

  • Size

    112KB

  • Sample

    240805-xbrbhsycle

  • MD5

    d16a594241bdd18814c7c8f184a02210

  • SHA1

    a544bc1a93d10c01ec6880adaba6e11fed6d900d

  • SHA256

    f45da766b2669cba563f9c59d97c55b5ee73990f85f87f619d136ccbae00d61f

  • SHA512

    62f68f1c48200b69deb0a00543d42eaa1194942eac9e1f13749ba913d97662d3c87c0dfb0eb24bf27802f58602988e149fee478b48b1853dd705c533a8330cbe

  • SSDEEP

    1536:FkLcccOgt5pz9UGwcFsYmOKVUJW4Wrle/PhG+/kery+bG8:8gt5pmGwisYmOKdS7b

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.fosna.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    =A+N^@~c]~#I

Targets

    • Target

      madamwebwin7MPDW-constraints.vbs

    • Size

      112KB

    • MD5

      d16a594241bdd18814c7c8f184a02210

    • SHA1

      a544bc1a93d10c01ec6880adaba6e11fed6d900d

    • SHA256

      f45da766b2669cba563f9c59d97c55b5ee73990f85f87f619d136ccbae00d61f

    • SHA512

      62f68f1c48200b69deb0a00543d42eaa1194942eac9e1f13749ba913d97662d3c87c0dfb0eb24bf27802f58602988e149fee478b48b1853dd705c533a8330cbe

    • SSDEEP

      1536:FkLcccOgt5pz9UGwcFsYmOKVUJW4Wrle/PhG+/kery+bG8:8gt5pmGwisYmOKdS7b

    Score
    10/10
    executionagentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks