Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d51eeb953fe93e273aa16f5ef22619fb_JaffaCakes118

  • Size

    569KB

  • Sample

    240908-1dfvcayepd

  • MD5

    d51eeb953fe93e273aa16f5ef22619fb

  • SHA1

    db06a2c7b81a149dbf4e1bb7e14384c9db7cf4db

  • SHA256

    9d5d5220565e4ff60c4a08dcaa73f074ae75a92dc7158faea742d79ba9efdf1d

  • SHA512

    6092ac213f6ca44334ff1ff52233355f5c5d593d4e50fdb7646edcb3d0654885f5e7191fbe977640d4f48adc29e7ec76265db18bdf9d57cab7c19286d2fb0c06

  • SSDEEP

    12288:sg3sGebKqNOGk9uzWmPyfYXnMYDMkcTZby7Oc3ZnjPVPUStRlvY:sqsGebKql3MS0ZCd8

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.fakly-cambodia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Mmhh#2014

Targets

    • Target

      New Order.exe

    • Size

      1.0MB

    • MD5

      da2b28ff7945825e56de25f06cdeae07

    • SHA1

      6039230ca4a9844b94f894f0411d2fc2049dd3ea

    • SHA256

      213d438ca097826c2ef69d2fa9210cc760825f4be66460ab90bd31452e47c79a

    • SHA512

      21244ff4127b19f3f0aa873a4f2eb4dbfb9082c1e6bdfce843582aeb4a34063776d6e0ff0e3d67a7bf898f7fbac0648b7491f5e12f26aa138286e3926878c1ba

    • SSDEEP

      12288:CgTgwI1Ih2uPkWPC1YbHMYVMCcZvbyROa/6DOKFHm:MwIeFTMMMvml6rFH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks