Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_a91eb16dec4963d0b7198e9bb1b3d379

  • Size

    520KB

  • Sample

    250108-ymwaaa1kgw

  • MD5

    a91eb16dec4963d0b7198e9bb1b3d379

  • SHA1

    c037fe12d74cdb7bc82b338a3babd35aa11c1b57

  • SHA256

    4da9cdaabab199c810cad207fe4dd792068eb0993f3a26a73c0a9bfb19f9831c

  • SHA512

    09a9a53ba5b2a7ee1d1074353c1e64ff50b8dab1aa3e8fbf4baf0326e0a0e2a2306c2ce9d4546693ae58a2a5278df94d0d877bf04fc024b6091af5483447d881

  • SSDEEP

    12288:UcMhUi2iNbL+UC5n8DreYwiAecqVokngG:UcMhUi1l05n8mcHc7k

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.scahe.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    scaheavy@12345

Targets

    • Target

      JaffaCakes118_a91eb16dec4963d0b7198e9bb1b3d379

    • Size

      520KB

    • MD5

      a91eb16dec4963d0b7198e9bb1b3d379

    • SHA1

      c037fe12d74cdb7bc82b338a3babd35aa11c1b57

    • SHA256

      4da9cdaabab199c810cad207fe4dd792068eb0993f3a26a73c0a9bfb19f9831c

    • SHA512

      09a9a53ba5b2a7ee1d1074353c1e64ff50b8dab1aa3e8fbf4baf0326e0a0e2a2306c2ce9d4546693ae58a2a5278df94d0d877bf04fc024b6091af5483447d881

    • SSDEEP

      12288:UcMhUi2iNbL+UC5n8DreYwiAecqVokngG:UcMhUi1l05n8mcHc7k

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks