Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    972fd901388715716bd9c2c0093eb932_JaffaCakes118

  • Size

    666KB

  • Sample

    241124-zrv1rayrdz

  • MD5

    972fd901388715716bd9c2c0093eb932

  • SHA1

    74ab08bba6de233e53a6c38bf49dc3da797719d2

  • SHA256

    23aad54c19e698c7dd28e813030f8e146f7169aeedc55a10f9a2ea902e192cf6

  • SHA512

    883e50556c9ea6360cd9b3deefe18dc94552eba03bb45634c3fb7ac8eb37e5cb3704a0e6a5bad70744898a31d7d5821012d709f62860223cc3c4f525580f46d4

  • SSDEEP

    12288:vOxTiPxd2ghsN53veg/lyTV4LRC0VUzUZsSihcXp6JtRfflo9RpIcFf0p+BzWN:vO8Z8ghsMV4lLV/mcQJtRHl+6p+Bzk

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.turkticaret.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ackr.2410

Targets

    • Target

      quote inquiry picksPayment and shipment terms rfq ref 09004.exe

    • Size

      1.1MB

    • MD5

      32dc2a95065af2ff81d51ef2fc75fd29

    • SHA1

      0891fa4e3afb63a1308e7d0a71047ab0fd4abeb9

    • SHA256

      8e55c4365371bd684ac3f4e58d360c98355359c0598d2448d201b2702efc1549

    • SHA512

      593cdc0b6e8c85e061e17b6a79dfe28baf039cb2a9169728eb3a50f13d83682f383f6c6b1fbc326deee9602fda501b1dbcf90824efc9d473a33178976a84831c

    • SSDEEP

      12288:mtZVxA2YsEDeQX90OYH11McX13/hcTlnKlltpYdW9oz3MdAA:qVYsEDeQN07scJhGnKHVA

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks