Tag: Agent Telsa

Meta ===== From: World Health Organization Subject: COVID 19: Passaggi Medici Per Essere Sicuri Link in the email: hxxps://onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM Unlike the other one that I documented here I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed, it created a child process of “RegAsm.exe” to do the heavy lifting while terminating itself as you can see in the below image. This is the process that made the callouts to the couple of IP addresses seen (including data exfil via port 587). Outside of that this was your…

Continue reading

Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The interesting thing is the persistence that was setup. Persistence was setup via the Windows Task Scheduler as seen below. The file that is being used in the Task Scheduler has the same hash as the file in the attachment. The location of this file (doQsVLzQv.exe) can be found in the…

Continue reading

This is a quick write-up of some Agent Telsa malspam that I was able to find within our email filters. For a good overview of what this malware is and how it works, please see the following links: http://krebsonsecurity.com/2018/10/who-is-agent-tesla/ http://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html For the artifacts found from this investigation, please see my Github repo located here. IOCs: ===== 208.91.199.225:587 (TCP) Artifacts ======= File name: RFQ-HMA-2120864-18.arj File size: 216K File path: NA MD5 hash: 321a93e4393042bcae84ee695def3e63 Virustotal: http://www.virustotal.com/#/file/a84aafdffc64e7755dd1025781095c3244c9f1389e2e836ac2691ac0fa1a0925/detection Detection ratio: 25 / 56 First Detected: 2018-10-21 10:43:42 File name: RFQ-HMA-2120864-18.exe / tmpG998.tmp / MyOtApp.exe File size: 260K File path: NA / C:\Users\%username%\AppData\Local\Temp / C:\Users\Bill\AppData\Roaming\MyOtApp…

Continue reading