Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a

  • Size

    1KB

  • Sample

    250129-bt91pazkfk

  • MD5

    0a03773457f7513861c5afa028f5f5d1

  • SHA1

    d4797df5db25241ea55e6c3926610b146dbb24c1

  • SHA256

    2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a

  • SHA512

    44a33cf835fc3188c96f220054769b00d895f8e188b118534d6d78236a25f51862d94cfab9a0705abdb7ba8d8630f4739951d51c1b8c1e59d8ffbce78b025b8c

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.siscop.com.co
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    +5s48Ia2&-(t

Targets

    • Target

      2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a

    • Size

      1KB

    • MD5

      0a03773457f7513861c5afa028f5f5d1

    • SHA1

      d4797df5db25241ea55e6c3926610b146dbb24c1

    • SHA256

      2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a

    • SHA512

      44a33cf835fc3188c96f220054769b00d895f8e188b118534d6d78236a25f51862d94cfab9a0705abdb7ba8d8630f4739951d51c1b8c1e59d8ffbce78b025b8c

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks