Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

9

09a5f12d38...9e.exe

windows7-x64

10

09a5f12d38...9e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    09a5f12d3849ee7084929bd2631e853b293bc843b7e7fcf17531b4fa0551329e

  • Size

    1.5MB

  • Sample

    250114-b1ajeasqfy

  • MD5

    09f687e29cf08605a549c7e0936b1a76

  • SHA1

    7a121086b5602cb2cada4cb9ff13cc0046782b8c

  • SHA256

    09a5f12d3849ee7084929bd2631e853b293bc843b7e7fcf17531b4fa0551329e

  • SHA512

    88160113f6492e5997ff68045a4badb91c1e93f924c4a99020e7446980de3f8d0d6778849463f79a44247d0918b8f3cd2971523365ab88aeb28f69b6cafe6f2f

  • SSDEEP

    24576:ttb4vkUmvVVJNFfu3Gny55ZCR6nnjqKoevv1RIAhjLoamMiX4lNmZg0YxegPbUID:rjvtvTQGy59jqKoe5jLoyEkmZ9Y14

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    fadicogroup.cf
  • Port:
    587
  • Username:
    fadi@fadicogroup.cf
  • Password:
    8hp5E?lU@w@q

Targets

    • Target

      09a5f12d3849ee7084929bd2631e853b293bc843b7e7fcf17531b4fa0551329e

    • Size

      1.5MB

    • MD5

      09f687e29cf08605a549c7e0936b1a76

    • SHA1

      7a121086b5602cb2cada4cb9ff13cc0046782b8c

    • SHA256

      09a5f12d3849ee7084929bd2631e853b293bc843b7e7fcf17531b4fa0551329e

    • SHA512

      88160113f6492e5997ff68045a4badb91c1e93f924c4a99020e7446980de3f8d0d6778849463f79a44247d0918b8f3cd2971523365ab88aeb28f69b6cafe6f2f

    • SSDEEP

      24576:ttb4vkUmvVVJNFfu3Gny55ZCR6nnjqKoevv1RIAhjLoamMiX4lNmZg0YxegPbUID:rjvtvTQGy59jqKoe5jLoyEkmZ9Y14

    Score
    10/10
    agentteslacollectioncredential_accessdiscoverykeyloggerpersistenceprivilege_escalationspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.