{"id":1344,"date":"2020-03-26T01:30:22","date_gmt":"2020-03-26T01:30:22","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1344"},"modified":"2020-03-26T01:35:03","modified_gmt":"2020-03-26T01:35:03","slug":"2020-03-25-agent-telsa-malspam-covid-19-themed","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1344","title":{"rendered":"2020-03-25 Agent Telsa Malspam – Covid-19 Themed"},"content":{"rendered":"

Meta
\n=====<\/strong>
\nFrom: World Health Organization
\nSubject: COVID 19: Passaggi Medici Per Essere Sicuri
\nLink in the email: hxxps:\/\/onedrive[.]live[.]com\/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM<\/p>\n

\"\"<\/a><\/p>\n

Unlike the other one that I documented here<\/a> I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed, it created a child process of “RegAsm.exe” to do the heavy lifting while terminating itself as you can see in the below image. This is the process that made the callouts to the couple of IP addresses seen (including data exfil via port 587).<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Outside of that this was your normal run of Agent Telsa. Artifacts and PCAP can be found over in my Github repo located here<\/a>.<\/p>\n

Reference
\n==========<\/strong><\/p>\n

Malshare: http:\/\/malshare.com\/sample.php?action=detail&hash=9fed11cd0c0bc367b30b08650dfba78f<\/a>
\nMalwareBazaar: http:\/\/bazaar.abuse.ch\/sample\/c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a<\/a> | http:\/\/bazaar.abuse.ch\/sample\/b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752<\/a>
\nAnyRun: http:\/\/app.any.run\/tasks\/8279e4d7-9f37-4f8c-8f50-3f41f4ffc425<\/a>
\nTriage: http:\/\/tria.ge\/reports\/200325-ajbtfx9qy2\/static1<\/a>
\nVT: http:\/\/www.virustotal.com\/gui\/file\/b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752\/detection<\/a> | http:\/\/www.virustotal.com\/gui\/file\/c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a\/detection<\/a><\/p>\n

Artifacts
\n==========<\/strong><\/p>\n

IOCs
\n—–<\/strong><\/p>\n

onedrive[.]live[.]com\/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM – 13[.]104[.]42[.]13:443 (TCP)
\ngqa9cw[.]dm[.]files[.]1drv[.]com – 13[.]104[.]42[.]12:443 (TCP)
\n63[.]250[.]44[.]99:587 (TCP)<\/p>\n

Email hashes
\n————-<\/strong><\/p>\n

98f1d11511f6bdaaf3a172b28a0684652bb19ea39c9c03226b329808cf06b483 — babsha925411157092.eml
\n71a3cf41a223f6acdb9af74c0727b83519cddd4d18dc9d598bd73ff41d022cde — fqhitf034619157093.eml
\nc1166cb7826c73bd58df1cc9861fbf803493048e2482f82175b7872d8f35810a — gsfvxr304743157094.eml
\nd1f3f9a54b2436dc3295f44f691955b67db26adf023f995223430f9e9c2e1442 — lkjtis506730157094.eml
\n9a964c0881dc9304bd8e84a4b5f93cf6364015b497f95713e5014ca4b32cc56f — lpiepe270366157094.eml
\na0887c28ea0e3813030955c8406186bd8e3ce3fa8a607e5e9de2dc28e1833f95 — nqcwpx366703157091.eml
\nb1d74fa576870db5b03e8f975b339f641454e6b337527367520c01caab38600e — ousuxu199249157094.eml
\n2f2a5a968573b732c316c72100fe84083da1258624983d737f35467826994596 — phwhop078067157093.eml
\n766e00a8c35d5c5f3da6b04fb99ac68a6410e7cdaea5621cce5ec7a2da3b3f7f — pnfyxv576698157094.eml
\n0077b9ca2b884f617fa12e19b924ea70b5bd9a4740a1c7b779ee4bc803d66979 — sztvxy079777157096.eml
\n022cf2f0c7a8ead023f3766283d0e80bc7bdcb94b28d6d26683f5f94380285fc — uoplrc973765157092.eml
\n3f9451cf771ef7105ba46077818bedf6bedc24545e5949b4d720e64fde1b804e — wkqfxw145898157093.eml
\n6d7bec87cf26bd7cead8a60f09cd48b03c71bd96552ccd0a3dd6cd6ccce5e13e — xvqnoj876256157092.eml
\n8e0cd347a19c08320db17214831be9bb2d493ecaed4d71845a9c64845e57a803 — yahguq810702157092.eml
\nae6e7bb9994c4485d6ece2d184b41c2b1f09f4d98debca3259dd2136221acfc3 — zrszrs625922157094.eml<\/p>\n

File hashes
\n————<\/strong><\/p>\n

b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752 — Cure Mediche.iso
\nc7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a — makeve.exe<\/p>\n

Machinae results
\n—————–<\/strong><\/p>\n

$ machinae b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752 c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=XXX&resource=b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752 (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/file\/report?apikey=XXX&resource=c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a (GET)
\n********************************************************************************
\n* Information for b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n

[+] VirusTotal File Report Results
\n[-] Date submitted: 2020-03-25 12:19:32
\n[-] Detected engines: 5
\n[-] Total engines: 60
\n[-] Scans: (‘BitDefenderTheta’, ‘Gen:NN[.]ZevbaF.34104[.]im0@aK1S9Cmi’)
\n[-] Scans: (‘TrendMicro-HouseCall’, ‘Possible_GENISO-4B’)
\n[-] Scans: (‘TrendMicro’, ‘Possible_GENISO-4B’)
\n[-] Scans: (‘Microsoft’, ‘Trojan:Win32\/Wacatac.C!ml’)
\n[-] Scans: (‘Ikarus’, ‘Trojan-Spy[.]Keylogger[.]AgentTesla’)
\n********************************************************************************
\n* Information for c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n

[+] VirusTotal File Report Results
\n[-] Date submitted: 2020-03-25 12:19:41
\n[-] Detected engines: 8
\n[-] Total engines: 71
\n[-] Scans: (‘Qihoo-360’, ‘HEUR\/QVM03.0.1EED[.]Malware[.]Gen’)
\n[-] Scans: (‘Cylance’, ‘Unsafe’)
\n[-] Scans: (‘APEX’, ‘Malicious’)
\n[-] Scans: (‘Trapmine’, ‘suspicious.low[.]ml[.]score’)
\n[-] Scans: (‘Microsoft’, ‘Trojan:Win32\/Sonbokli.A!cl’)
\n[-] Scans: (‘Acronis’, ‘suspicious’)
\n[-] Scans: (‘eGambit’, ‘Unsafe[.]AI_Score_97%’)
\n[-] Scans: (‘BitDefenderTheta’, ‘Gen:NN[.]ZevbaF.34104[.]im0@aK1S9Cmi’)<\/p>\n

$ machinae 63.250.44.99
\n[.] Requesting http:\/\/www.ipvoid.com\/ip-blacklist-check (POST)
\n[.] Requesting http:\/\/malc0de.com\/database\/index.php?search=63.250.44.99 (GET)
\n[.] Requesting http:\/\/abuseipdb.com\/check\/63.250.44.99 (GET)
\n[.] Requesting http:\/\/ransomwaretracker.abuse.ch\/host\/63.250.44.99 (GET)
\n[.] Requesting http:\/\/isc.sans.edu\/api\/ip\/63.250.44.99 (GET)
\n[.] Requesting http:\/\/freegeoip.io\/json\/63.250.44.99 (GET)
\n[.] Requesting http:\/\/www.fortiguard.com\/webfilter?q=63.250.44.99 (GET)
\n[.] Requesting http:\/\/www.virustotal.com\/vtapi\/v2\/ip-address\/report?ip=63.250.44.99&apikey=XXX (GET)
\n[.] Requesting http:\/\/www.reputationauthority.org\/lookup.php?ip=63.250.44.99 (GET)
\n[.] Requesting http:\/\/www.mcafee.com\/threat-intelligence\/ip\/default.aspx?ip=63.250.44.99 (GET)
\n[.] Requesting http:\/\/cymon.io\/api\/nexus\/v1\/ip\/63.250.44.99\/events\/ (GET)
\n[.] Requesting http:\/\/cymon.io\/api\/nexus\/v1\/ip\/63.250.44.99\/domains\/ (GET)
\n[.] Requesting http:\/\/cymon.io\/api\/nexus\/v1\/ip\/63.250.44.99\/urls\/ (GET)
\n[.] Requesting http:\/\/www.threatcrowd.org\/searchApi\/v2\/ip\/report\/?ip=63.250.44.99 (GET)
\n********************************************************************************
\n* Information for 63.250.44.99
\n* Observable type: ipv4 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n

[!] Error from IP Whois: ‘IPWhois’ object has no attribute ‘lookup’
\n[-] No IPVoid Results
\n[-] No Malc0de Results
\n[-] No AbuseIPDB Results
\n[-] No RansomwareTracker Results
\n[-] No SANS Results
\n[+] Fortinet Category Results
\n [-] Fortinet URL Category: Not Rated
\n[+] VirusTotal pDNS Results
\n [-] pDNS data from VirusTotal: (‘2020-02-24’, ‘popeorigin[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-03-25’, ‘popeorigin5[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-02-25’, ‘popeorigin6[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-02-25’, ‘popeorigin7[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-02-24’, ‘webmail[.]popeorigin[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-03-25’, ‘webmail[.]popeorigin5[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-02-25’, ‘webmail[.]popeorigin6[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-02-24’, ‘www[.]popeorigin[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-03-25’, ‘www[.]popeorigin5[.]pw’)
\n [-] pDNS data from VirusTotal: (‘2020-02-25’, ‘www[.]popeorigin6[.]pw’)
\n [-] pDNS malicious URLs from VirusTotal: (‘2020-03-20’, ‘hXXp:\/\/popeorigin7[.]pw\/’)
\n[+] Reputation Authority Results
\n [-] Reputation Authority Score: 50\/100
\n[-] No McAfee Threat Results<\/p>\n

Munin results
\n————–<\/strong><\/p>\n

1 \/ 2 > Suspicious
\nHASH: b0d9703714cc221faaba6dd5c4089f5866e2c2dcc8b342e7dfdd647e29ab4752 COMMENT: Cure Mediche.iso
\nVIRUS: Microsoft: Trojan:Win32\/Wacatac.C!ml \/ TrendMicro: Possible_GENISO-4B
\nTYPE: ISO image SIZE: 196.0 KB FILENAMES: Cure Mediche.iso, Cure Mediche.iso
\nFIRST: 2020-03-25 12:19:32 LAST: 2020-03-25 12:19:32 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 0 USERS: – TAGS: CONTAINS-PE ISOIMAGE
\nRESULT: 5 \/ 60<\/p>\n

2 \/ 2 > Malicious
\nHASH: c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a COMMENT: makeve.exe
\nVIRUS: Microsoft: Trojan:Win32\/Fareit.AE!MTB \/ Kaspersky: Trojan.Win32.Vebzenpak.kbd \/ McAfee: Artemis!9FED11CD0C0B \/ CrowdStrike: win\/malicious_confidence_80% (W) \/ ESET-NOD32: a variant of Win32\/Injector.ELFS \/ GData: Win32.Trojan.Agent.5YQ2H5
\nTYPE: Win32 EXE SIZE: 136.0 KB FILENAMES: Enterophth8.exe, Enterophth8, Enterophth8.exe, makeve.exe
\nFIRST: 2020-03-25 12:19:41 LAST: 2020-03-25 23:24:54 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 1 USERS: VMRay TAGS: PEEXE RUNTIME-MODULES DIRECT-CPU-CLOCK-ACCESS CHECKS-USER-INPUT
\nRESULT: 21 \/ 71
\n[!] Sample on ANY.RUN URL: http:\/\/any.run\/report\/c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Meta ===== From: World Health Organization Subject: COVID 19: Passaggi Medici Per Essere Sicuri Link in the email: hxxps:\/\/onedrive[.]live[.]com\/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM Unlike the other one that I documented here I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed, it created a child process of “RegAsm.exe” to do the heavy lifting while terminating itself as you can see in the below image. This is the process that made the callouts to the couple of IP addresses seen (including data exfil via port 587). Outside of that this was your…<\/p>\n

Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[30],"class_list":["post-1344","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-agent-telsa"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1344"}],"version-history":[{"count":3,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1344\/revisions"}],"predecessor-version":[{"id":1350,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1344\/revisions\/1350"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}