Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/11/2024, 15:42 UTC

241124-s5e35awpby 10

24/11/2024, 15:38 UTC

241124-s22sqawndz 10

General

  • Target

    ?THALAT DEME DURUM.exe

  • Size

    748KB

  • Sample

    241124-s5e35awpby

  • MD5

    db4b551903a1f1bcafb5a352765d6d5d

  • SHA1

    9420762fe9c678d890db7ca615a916a581a0b045

  • SHA256

    744ad803081f6ad2d85f3c667c537c6bc3a47bf95c07f496315171790a1b05a2

  • SHA512

    a68972f3cda539e56f4868cba879b849f1bec731fe465a6eb0cf26e63a911717ea2a839da0cb164603da4bd64bf03aab9006812082250bf4c8061e1bd2adb7d8

  • SSDEEP

    12288:HVU3wtfRzxWW94FJEGDrDZL/YoheVXfanjRRVx8HFIUjgyo1ADKwwNHeLdyWYlt:HVUMpzxW84rEGDrtLwoEVMRVx8H7jgvn

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    roocckkbthree@apexrnun.com
  • Password:
    CCu5Z?WuH+bS4hsz
  • Email To:
    mmanutwo@apexrnun.com

Targets

    • Target

      ?THALAT DEME DURUM.exe

    • Size

      748KB

    • MD5

      db4b551903a1f1bcafb5a352765d6d5d

    • SHA1

      9420762fe9c678d890db7ca615a916a581a0b045

    • SHA256

      744ad803081f6ad2d85f3c667c537c6bc3a47bf95c07f496315171790a1b05a2

    • SHA512

      a68972f3cda539e56f4868cba879b849f1bec731fe465a6eb0cf26e63a911717ea2a839da0cb164603da4bd64bf03aab9006812082250bf4c8061e1bd2adb7d8

    • SSDEEP

      12288:HVU3wtfRzxWW94FJEGDrDZL/YoheVXfanjRRVx8HFIUjgyo1ADKwwNHeLdyWYlt:HVUMpzxW84rEGDrtLwoEVMRVx8H7jgvn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.