Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Remittance Receipt.exe

  • Size

    698KB

  • Sample

    241027-183mla1pey

  • MD5

    db9a323fde82eac0d972eec0acde0209

  • SHA1

    88ead16576193df0d647c722d70b79f50300e852

  • SHA256

    e93171125e897ba3a556f1b0171629d2a9aaa3298510f97b5d7cda44b9c3c313

  • SHA512

    d22a3073ea9d5c6111e61200521fa9453fc5c5814a4cd64595d5d297c6c5f9d2b5d186d10700728d19087a72c8c392a87797ffe5a48440a42165b095f12204ad

  • SSDEEP

    12288:KCfiaaMHHsczu6ko6E52x82u6/DsXsW7mbXt8V8XME+L:KYi5MH1z9J2du6LsXGtm8Ra

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    payment1759

Targets

    • Target

      Remittance Receipt.exe

    • Size

      698KB

    • MD5

      db9a323fde82eac0d972eec0acde0209

    • SHA1

      88ead16576193df0d647c722d70b79f50300e852

    • SHA256

      e93171125e897ba3a556f1b0171629d2a9aaa3298510f97b5d7cda44b9c3c313

    • SHA512

      d22a3073ea9d5c6111e61200521fa9453fc5c5814a4cd64595d5d297c6c5f9d2b5d186d10700728d19087a72c8c392a87797ffe5a48440a42165b095f12204ad

    • SSDEEP

      12288:KCfiaaMHHsczu6ko6E52x82u6/DsXsW7mbXt8V8XME+L:KYi5MH1z9J2du6LsXGtm8Ra

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks