2020-03-23 Agent Telsa Malspam

Meta
=====

From: Procurement – site@hamnc.com
Subject: Purchase Order
Attachment: Company Profile, Product Specification And Trial Order.pdf.img

Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the “C:\Users\%username%\AppData\Roaming” folder.

When looking at the results from a simple filter in Process Monitor (Process name = Company Profile, Product Specification And Trial Order.pdf.exe and Operation = QueryDirectory and Operation = QueryNetworkOpenInformationFile) we can see that the malware is looking for the usual things (ie: installed applications and creds).

Artifacts can be found over at my Github located here.

Reference
==========

http://www.virustotal.com/gui/file/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19/community
http://bazaar.abuse.ch/sample/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19/
http://malshare.com/sample.php?action=detail&hash=b72502adc492cd694cd064d56a93fed5
http://app.any.run/tasks/dd1cf69a-09a0-4664-a7a2-752fe5449c43

Artifacts
==========

IOCs
—–

mail.gandi.net:587 (TCP)

Email hashes
————-

bcf37b670630f8834c9bd263347071b9a46230ef576681ce9c06ce541c6b8790 — gtyoyi630112974655.eml
f160a285f7602e4e406ee7c3e2708035c27864ddd8c943a4320bca9062388053 — hsmeyc831822974665.eml
f6efc1aec315b5a410c48b49cb8c538a86d12bed3d6b5f7155fc87a15045ea27 — iyhdyx543761974662.eml
616576256b6b137c7cee036503a35361ab2b94e003ad585f361bef24ee01b179 — jsyjse866746974660.eml
6e49dd91110f1c7bce55696ccc6db1e1ae4b49dc83144dafcdf722a592458fa1 — kkpenr753224974660.eml
7b1a3cbb808a4797132fab4d7d00f7123117022f0b3ba0ed45dc3ae7da689ee5 — lmdrjp449105974662.eml
da3e59d57ccdfb336afdb452ca366a2eb663582a360adfd20475d0b936285bd3 — pmzdyv370806974662.eml
980c16beea6827fac0a763c67bfb59b9252d6f8d9e041f3460f70671030ba724 — tonfxb666161974660.eml
cbe2f144d554f092e3ac98e555d2da27f2e7f86e660637122c87466db6bd1fbd — xgybkt701416974655.eml

File hashes
————

88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 — Company Profile, Product Specification And Trial Order.pdf.img
398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 — Company Profile, Product Specification And Trial Order.exe
398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 — doQsVLzQv.exe
– File location: C:\Users\%username%\AppData\Roaming

Machinae results
—————–

$ machinae 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836
[.] Requesting http://www.virustotal.com/vtapi/v2/file/report?apikey=XXX&resource=398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 (GET)
[.] Requesting http://www.virustotal.com/vtapi/v2/file/report?apikey=XXX&resource=88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 (GET)
********************************************************************************
* Information for 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2020-03-23 08:46:30
[-] Detected engines: 10
[-] Total engines: 72
[-] Scans: (‘FireEye’, ‘Generic[.]mg.b72502adc492cd69’)
[-] Scans: (‘Cylance’, ‘Unsafe’)
[-] Scans: (‘Sangfor’, ‘Malware’)
[-] Scans: (‘Alibaba’, ‘Trojan:Win32/starter[.]ali1000139’)
[-] Scans: (‘Cybereason’, ‘malicious.176ae4’)
[-] Scans: (‘ESET-NOD32’, ‘a variant of MSIL/GenKryptik[.]EGKX’)
[-] Scans: (‘Ikarus’, ‘Trojan[.]Agent[.]EX’)
[-] Scans: (‘Microsoft’, ‘Trojan:Win32/Wacatac.C!ml’)
[-] Scans: (‘Malwarebytes’, ‘Trojan[.]MalPack[.]ADC’)
[-] Scans: (‘APEX’, ‘Malicious’)
********************************************************************************
* Information for 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2020-03-23 13:55:36
[-] Detected engines: 12
[-] Total engines: 61
[-] Scans: (‘Sangfor’, ‘Malware’)
[-] Scans: (‘Symantec’, ‘Trojan[.]Gen.2’)
[-] Scans: (‘TrendMicro-HouseCall’, ‘Possible_GENISO-6’)
[-] Scans: (‘Rising’, ‘Trojan[.]GenKryptik!8.AA55 (CLOUD)’)
[-] Scans: (‘TrendMicro’, ‘Possible_GENISO-6’)
[-] Scans: (‘McAfee-GW-Edition’, ‘Artemis!B72502ADC492’)
[-] Scans: (‘Ikarus’, ‘Trojan[.]Agent[.]EX’)
[-] Scans: (‘Cyren’, ‘W32/MSIL_Kryptik[.]AJW[.]gen!Eldorado’)
[-] Scans: (‘Fortinet’, ‘MSIL/GenKryptik[.]EGKX!tr’)
[-] Scans: (‘Microsoft’, ‘Trojan:Win32/Wacatac.C!ml’)
[-] Scans: (‘McAfee’, ‘Artemis!B72502ADC492’)
[-] Scans: (‘ESET-NOD32’, ‘a variant of MSIL/GenKryptik[.]EGVF’)

$ machinae mail.gandi.net
[.] Requesting http://www.urlvoid.com/scan/mail.gandi.net (GET)
[.] Requesting http://www.toolsvoid.com/unshorten-url (POST)
[.] Requesting http://malc0de.com/database/index.php?search=mail.gandi.net (GET)
[.] Requesting http://www.fortiguard.com/webfilter?q=mail.gandi.net (GET)
[.] Requesting http://www.virustotal.com/vtapi/v2/domain/report?domain=mail.gandi.net&apikey=XXX (GET)
[.] Requesting http://www.reputationauthority.org/lookup.php?ip=mail.gandi.net (GET)
[.] Requesting http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=mail.gandi.net (GET)
[.] Requesting http://cymon.io/api/nexus/v1/domain/mail.gandi.net (GET)
********************************************************************************
* Information for mail.gandi.net
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[-] No Malc0de Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Web-based Email
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2019-12-12’, ‘217[.]70.178.9’)
[-] pDNS data from VirusTotal: (‘2014-05-15’, ‘217[.]70.184.11’)
[-] Webutation Safety score: 100
[+] Reputation Authority Results
[-] Reputation Authority Score: 50/100
[+] McAfee Threat Results
[-] McAfee Web Risk: Minimal
[-] McAfee Last Seen: 2020-03-23

Munin results
————–

1 / 3 > Suspicious
HASH: 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 COMMENT: doQsVLzQv.exe
VIRUS: Microsoft: Trojan:Win32/Wacatac.C!ml / ESET-NOD32: a variant of MSIL/GenKryptik.EGKX
TYPE: Win32 EXE SIZE: 779.5 KB FILENAMES: vjKPwLdpyllsI.exe, doqsvlzqv.exe, Company Profile, Product Specification And Trial Order.exe, vjKPwLdpyllsI.exe
COPYRIGHT: Copyright 2019 DESCRIPTION: Calculator
FIRST: 2020-03-23 08:46:30 LAST: 2020-03-23 08:46:30 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 1 USERS: thor TAGS: PEEXE ASSEMBLY DIRECT-CPU-CLOCK-ACCESS DETECT-DEBUG-ENVIRONMENT RUNTIME-MODULES
RESULT: 10 / 72
[!] Sample on ANY.RUN URL: http://any.run/report/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19

2 / 3 > Suspicious
HASH: 398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19 COMMENT: Company Profile Product Specification And Trial Order.exe
VIRUS: Microsoft: Trojan:Win32/Wacatac.C!ml / ESET-NOD32: a variant of MSIL/GenKryptik.EGKX
TYPE: Win32 EXE SIZE: 779.5 KB FILENAMES: vjKPwLdpyllsI.exe, doqsvlzqv.exe, Company Profile, Product Specification And Trial Order.exe, vjKPwLdpyllsI.exe
COPYRIGHT: Copyright 2019 DESCRIPTION: Calculator
FIRST: 2020-03-23 08:46:30 LAST: 2020-03-23 08:46:30 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 1 USERS: thor TAGS: PEEXE ASSEMBLY DIRECT-CPU-CLOCK-ACCESS DETECT-DEBUG-ENVIRONMENT RUNTIME-MODULES
RESULT: 10 / 72
[!] Imphash – appeared 2 times in this batch f34d5f2d4577ed6d9ceec516c1f5a744
[!] Sample on ANY.RUN URL: http://any.run/report/398326880d507f3c7731113a7c2630e01df8a3013422346c12e55d5ab76efd19

3 / 3 > Malicious
HASH: 88267f2e2bea9ad5c656487aa738ceb3bf13b008e9b4088d9ea68ed7711c2836 COMMENT: Company Profile Product Specification And Trial Order.pdf.img
VIRUS: Microsoft: Trojan:Win32/Wacatac.C!ml / McAfee: Artemis!B72502ADC492 / TrendMicro: Possible_GENISO-6 / ESET-NOD32: a variant of MSIL/GenKryptik.EGVF / Symantec: Trojan.Gen.2
TYPE: unknown SIZE: 1.31 MB FILENAMES: mime-part–27738-3415.img, mime-part–27738-3415.img
FIRST: 2020-03-23 08:46:26 LAST: 2020-03-23 13:55:36 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS: CONTAINS-PE
RESULT: 12 / 61