Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    DOC.rar

  • Size

    619KB

  • Sample

    241003-ncyybaxcjq

  • MD5

    3a5a81a4e016d1a76b388ff3fe187053

  • SHA1

    ed2d98cd24237278b41dd4dfd9f6885821052abe

  • SHA256

    e5b1e16daa002f8571e782628879b8a41b664f6430ce76edbf69f5a1b0f3ee0e

  • SHA512

    b2c63dfee9aa366bdd02176fe0c120aafcf7f0055684356fde4ab8bff67e907dcb87d74b7f177c1b92e38b16026f3033954d7aa837037cc417bae9d3f4967ec4

  • SSDEEP

    12288:cW80s0x5S1b0rZuBdDDlxlGozGhuy6G4XxxwSBNPe2rcEhCeIZ:ces0x5S1b0IBdD5x8n4Bxrx7CeA

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    basicsoft@apexrnun.com
  • Password:
    dU*wU0)yR;?4q|-#
  • Email To:
    newjessy@apexrnun.com

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    basicsoft@apexrnun.com
  • Password:
    dU*wU0)yR;?4q|-#

Targets

    • Target

      iu5J6ktsl7y8tiM.exe

    • Size

      790KB

    • MD5

      6fc0480b81f7492fef68b69e3707c213

    • SHA1

      956e53123b9650d62f38532fe65e7c72f1fced1d

    • SHA256

      021b5417b02a080b620285e4bc35871a4c013c4fb46884574bad06b2b896394c

    • SHA512

      7edfc8b39d60f3d898e8d876e2d591f6db6cd023242d427b14268b4908d3ac8cb16a85ab19aa1b06b3fd735636b5c2b8ee7a8c6fe6f3b7dbdbd848458e9c5ae6

    • SSDEEP

      12288:SW6jz+yrT5G1wXJjMZMNX0Q+JiDi3yqepAhencOxeUc7N5F:V+z+yrTrlPUeFjAhff7Nf

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.