Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    90ed9d25dc93f73d574a27e7b7e4806107eafc2018038840521cf44ec5f38245

  • Size

    861KB

  • Sample

    241215-bdpd2szjhx

  • MD5

    4f317fb6f4fc58e20f80bb8054767557

  • SHA1

    b7d39f72903941f59b568476d3e548b3060b9af6

  • SHA256

    90ed9d25dc93f73d574a27e7b7e4806107eafc2018038840521cf44ec5f38245

  • SHA512

    5210fc381b002ec82e86ef83784d94ca5c895a3eb1c9fd72751b45f142ac950a9a7127b53476ee0e800d7973bea2090f6f1a204ae04396aaa7ab620b89434f64

  • SSDEEP

    6144:MKFylHuqIDU7/5mgS7q0XQxvV2B/TsSZ7ADmQK5DLlHE:MK8IDC/5mi5KLsS2KhR

Malware Config

Targets

    • Target

      90ed9d25dc93f73d574a27e7b7e4806107eafc2018038840521cf44ec5f38245

    • Size

      861KB

    • MD5

      4f317fb6f4fc58e20f80bb8054767557

    • SHA1

      b7d39f72903941f59b568476d3e548b3060b9af6

    • SHA256

      90ed9d25dc93f73d574a27e7b7e4806107eafc2018038840521cf44ec5f38245

    • SHA512

      5210fc381b002ec82e86ef83784d94ca5c895a3eb1c9fd72751b45f142ac950a9a7127b53476ee0e800d7973bea2090f6f1a204ae04396aaa7ab620b89434f64

    • SSDEEP

      6144:MKFylHuqIDU7/5mgS7q0XQxvV2B/TsSZ7ADmQK5DLlHE:MK8IDC/5mi5KLsS2KhR

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • System Binary Proxy Execution: InstallUtil

      Abuse InstallUtil to proxy execution of malicious code.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks