#agenttesla_220822

1. #IOC #OptiData #VR #AgentTesla #tgz #EXE
2.  
3. https://pastebin.com/3JGCE5hN
4.  
5. previous_contact:
6. 25/02/21 https://pastebin.com/YCVjJ8A6
7. 10/02/21 https://pastebin.com/9JXvM5ix
8. 07/12/20 https://pastebin.com/20AVUqZ6
9. 04/12/20 https://pastebin.com/PYFMBfkg
10. 15/06/20 https://pastebin.com/pma5MQAW
11. 12/06/20 https://pastebin.com/SKNts0Es
12. 29/10/19 https://pastebin.com/RinpBPvy
13. 03/09/19 https://pastebin.com/zhJvDz8M
14. 09/01/19 https://pastebin.com/MdDfZDdb
15. 16/10/18 https://pastebin.com/d5DxTRrB
16. 04/10/18 https://pastebin.com/JYShuXn4
17. 11/10/18 https://pastebin.com/bkCSvJvM
18.  
19. FAQ:
20. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
21.  
22. attack_vector
23. --------------
24. email > URL to onedrive > TGZ > EXE > exfil to C2
25.  
26.  
27. # # # # # # # #
28. email_headers
29. # # # # # # # #
30.  
31. Received: from server.globalyapi.net ([178.63.81.8])
32. Received: from webmail.promyonetim.com.tr (localhost.localdomain [127.0.0.1])
33. by server.globalyapi.net (Postfix) with ESMTPSA id DB39338616DF;
34. Date: Mon, 22 Aug 2022 09:35:44 +0800
35. From: Сьюзан Бойко <gsabanoglu@promyonetim.com.tr>
36. Subject: Новий ордер на купівлю #15060012
37. User-Agent: Roundcube Webmail/1.4.13
38. Message-ID: <fafa2c0675bca6e26c5e0e8165be9654@promyonetim.com.tr>
39. X-Sender: gsabanoglu@promyonetim.com.tr
40.  
41.  
42. # # # # # # # #
43. files
44. # # # # # # # #
45.  
46. SHA-256 fd170269fa86a676b7cb5979e9d86d933b1c42595042c1619ce6db85518b7c1c
47. File name Новий ордер на купівлю.tgz [ GZIP ]
48. File size 6.73 KB (6894 bytes)
49.  
50. SHA-256 e68d135a807112f6a645331dce18c395f6630c83c7b2e97ebc769a0bbbea1a96
51. File name Новий ордер на купівлю.exe [ Generic CIL Executable (.NET, Mono, etc.) ]
52. File size 73.50 KB (75264 bytes)
53.  
54. SHA-256 7ce8972b71a93178e1afbb9e66f74b80da79e69b044139f8b5e8e7939ea94d7c
55. File name withoutstartup_Kimdoujs.png [ data ]
56. File size 1.89 MB (1985544 bytes)
57.  
58.  
59. # # # # # # # #
60. activity
61. # # # # # # # #
62.  
63. PL_SCR https://onedrive.live.com/download?cid=86BAE154236ED5D8&resid=86BAE154236ED5D8%21985&authkey=AJccsSHY3WHoX84
64.  
65.  
66. C2 https://api.telegram.org/bot1884223853:AAFBJYLvV6hrzs4P4_W7nhkr0P8noC6MWKI/sendDocument
67.  
68.  
69. netwrk
70. --------------
71. https://eglife100.com/loader/uploads/withoutstartup_Kimdoujs.png
72. https://api.telegram.org/bot1884223853:AAFBJYLvV6hrzs4P4_W7nhkr0P8noC6MWKI/sendDocument
73.  
74.  
75. comp
76. --------------
77. Новий ордер на купівлю.exe 67.211.214.194:443 [eglife100.com]
78. InstallUtil.exe 149.154.167.220:443 [api.telegram.org]
79.  
80.  
81. proc
82. --------------
83. "C:\Users\oper\AppData\Local\Temp\Новий ордер на купівлю.exe"
84. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANwAwAA==
85. C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
86. C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
87.  
88.  
89. persist
90. --------------
91. n/a
92.  
93.  
94. drop
95. --------------
96. C:\Users\oper\Desktop\Новий ордер на купівлю.exe
97. C:\Windows\Microsoft.NET\Framework\v4.*\InstallUtil.exe
98.  
99.  
100. # # # # # # # #
101. VT & Intezer
102. # # # # # # # #
103.  
104. Dropped files
105. **************
106. https://www.virustotal.com/gui/file/fd170269fa86a676b7cb5979e9d86d933b1c42595042c1619ce6db85518b7c1c/details
107. https://www.virustotal.com/gui/file/e68d135a807112f6a645331dce18c395f6630c83c7b2e97ebc769a0bbbea1a96/details
108. https://www.virustotal.com/gui/file/7ce8972b71a93178e1afbb9e66f74b80da79e69b044139f8b5e8e7939ea94d7c/details
109. https://analyze.intezer.com/analyses/7a7a9497-1624-41c8-89a8-be712557cb3e
110.  
111.  
112. VR