Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_ac72fb4c35f643ceede6c8a645b7efdf

  • Size

    383KB

  • Sample

    250108-zvtl4awkan

  • MD5

    ac72fb4c35f643ceede6c8a645b7efdf

  • SHA1

    94ee20d613c56c3488bf5af6a9da347dbe51b60b

  • SHA256

    88e39d27b4ea76f3413a5561e71b3360f79de3c8025a0357b6dfc6764a721a39

  • SHA512

    812025ca8e7d908e00f55ddd8e02dee17f6ab6f7cc4f38c9d9769cd05307a86ef99f3bde373a6b7a5f917d842e436f1fe81fd6f12dc76f5ccc5dd8e0ef55957b

  • SSDEEP

    6144:ddV+bQVGUC6cTqDZId1iUAPJjBuYt/MqbyO7w0vI+rGZAL9wUOAMdQ9d/kcwZ5E4:ddVrG/qDZId1iUAPJjBuYUq2M/LuDAx9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sontcehkwhxjwuqj

Targets

    • Target

      JaffaCakes118_ac72fb4c35f643ceede6c8a645b7efdf

    • Size

      383KB

    • MD5

      ac72fb4c35f643ceede6c8a645b7efdf

    • SHA1

      94ee20d613c56c3488bf5af6a9da347dbe51b60b

    • SHA256

      88e39d27b4ea76f3413a5561e71b3360f79de3c8025a0357b6dfc6764a721a39

    • SHA512

      812025ca8e7d908e00f55ddd8e02dee17f6ab6f7cc4f38c9d9769cd05307a86ef99f3bde373a6b7a5f917d842e436f1fe81fd6f12dc76f5ccc5dd8e0ef55957b

    • SSDEEP

      6144:ddV+bQVGUC6cTqDZId1iUAPJjBuYt/MqbyO7w0vI+rGZAL9wUOAMdQ9d/kcwZ5E4:ddVrG/qDZId1iUAPJjBuYUq2M/LuDAx9

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks