Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    5aceb86f5e0e5c80e19c6e08c0755a411ba7feacc1aa0759033deb8f73dda4a1

  • Size

    600KB

  • Sample

    241213-mcj9gsxkdp

  • MD5

    569dc1997f9f23de014c339d6ae0bd8f

  • SHA1

    2ff03b4ab5c3cfd7a0fb951d25d7c8b6334f857b

  • SHA256

    5aceb86f5e0e5c80e19c6e08c0755a411ba7feacc1aa0759033deb8f73dda4a1

  • SHA512

    4aaf3cad068c372978ae4632b96b5bfb609d3bcc191cd3d3bc53ce35507765a904726e52b1904c317718f54cde1bf18c280c726484eda58660321c9b336b3931

  • SSDEEP

    12288:tFu+U5Ge7b14P0v77rHxMKX7B1aC6I7LRBwMmq1sFpevzmla:tFxU5Ge7Jn/LeKX7/BhjwnqSFpev5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.alltoursegypt.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    OPldome23#12klein

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      Shipping Advice 21545 Final documents.exe

    • Size

      612KB

    • MD5

      bf2eaf378c5276789cb7c4609c0794ec

    • SHA1

      989aec2d97749196cce249acb808350a56ca589e

    • SHA256

      48e0fd5d27b2b0bab57f371c72cbadb81e5df3af8a891fe5defde7193055942b

    • SHA512

      7621ab0b046819be21d5fd2d69fb38a47fd15761937fad65f8d53a9127ec5a0f0eb2e300448d2a1e05c92a03d2998e56a4524e198a4775c4dfec0e900f235635

    • SSDEEP

      12288:QCD0bOY6MLUcNFhyB6MDw438vOCxqDKbXCll9/95+PAY5DFxKV:QZU49jhypDHe8QCl55+PAU3e

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks