#agenttesla_071220

1. #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
2.  
3. https://pastebin.com/20AVUqZ6
4.  
5. previous_contact:
6. 04/12/20 https://pastebin.com/PYFMBfkg
7. 15/06/20 https://pastebin.com/pma5MQAW
8. 12/06/20 https://pastebin.com/SKNts0Es
9. 29/10/19 https://pastebin.com/RinpBPvy
10. 03/09/19 https://pastebin.com/zhJvDz8M
11. 09/01/19 https://pastebin.com/MdDfZDdb
12. 16/10/18 https://pastebin.com/d5DxTRrB
13. 04/10/18 https://pastebin.com/JYShuXn4
14. 11/10/18 https://pastebin.com/bkCSvJvM
15.  
16. FAQ:
17.  
18. attack_vector
19. --------------
20. email > URL to onedrive > TGZ > EXE > exfil to smtp.1and1.es:587
21.  
22. email_headers
23. --------------
24. n/a
25.  
26. files
27. --------------
28. SHA-256 602f146907a0a3c018021258fbd79a14c373bc7c155a831c959121b34c96bb7f
29. File name 39202 071220.tgz [ gzip compressed data ]
30. File size 1.55 MB (1624248 bytes)
31.  
32. SHA-256 276b4f0604ba02c08af9202ad2761f452f10e4adc061eefa713fbd055aa0b4c0
33. File name 39202 071220.exe [ .NET executable ]
34. File size 1.80 MB (1891328 bytes)
35.  
36. activity
37. **************
38. PL_SCR https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21282&authkey=AIrAAExjvidyMqA
39. previous (04/12/20):
40. https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
41.  
42. C2 212.227.15.142:587 [smtp.1and1.es]
43. 212.227.15.158:587 [smtp.1and1.es]
44.  
45.  
46. !Steals private information from local Internet browsers
47. --------------
48. C:\Users\operator\AppData\Roaming\Opera Software\Opera Stable
49. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\profiles.ini
50. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key4.db
51. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\logins.json
52. C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
53. C:\Users\operator\AppData\Roaming\Comodo\IceDragon\profiles.ini
54.  
55. !Harvests credentials from local FTP client softwares
56. --------------
57. C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
58. C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
59. C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
60.  
61. !Harvests information related to installed mail clients
62. --------------
63. C:\Users\operator\AppData\Roaming\Postbox\profiles.ini
64. C:\Users\operator\AppData\Roaming\eM Client
65. C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
66. C:\Users\operator\AppData\Roaming\The Bat!
67. C:\Users\operator\AppData\Roaming\Claws-mail\clawsrc
68. C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
69.  
70.  
71. netwrk
72. --------------
73. 212.227.15.158 smtp.1and1.es Client Hello
74.  
75. comp
76. --------------
77. 39202 071220.exe 3424 TCP 212.227.15.142 587 ESTABLISHED
78.  
79. proc
80. --------------
81. C:\Users\operator\Desktop\39202 071220.exe [4044]
82. C:\Users\operator\Desktop\39202 071220.exe [2164]
83. C:\Users\operator\Desktop\39202 071220.exe [3424]
84.  
85. persist
86. --------------
87. n/a
88.  
89. drop
90. --------------
91. n/a
92.  
93. # # #
94. https://www.virustotal.com/gui/file/602f146907a0a3c018021258fbd79a14c373bc7c155a831c959121b34c96bb7f/details
95. https://www.virustotal.com/gui/file/276b4f0604ba02c08af9202ad2761f452f10e4adc061eefa713fbd055aa0b4c0/details
96. https://analyze.intezer.com/analyses/81115223-7b13-4773-bc20-97373c847814
97.  
98.  
99. VR
100.