#agenttesla_100221

1. #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
2.  
3. https://pastebin.com/9JXvM5ix
4.  
5. previous_contact:
6. 07/12/20 https://pastebin.com/20AVUqZ6
7. 04/12/20 https://pastebin.com/PYFMBfkg
8. 15/06/20 https://pastebin.com/pma5MQAW
9. 12/06/20 https://pastebin.com/SKNts0Es
10. 29/10/19 https://pastebin.com/RinpBPvy
11. 03/09/19 https://pastebin.com/zhJvDz8M
12. 09/01/19 https://pastebin.com/MdDfZDdb
13. 16/10/18 https://pastebin.com/d5DxTRrB
14. 04/10/18 https://pastebin.com/JYShuXn4
15. 11/10/18 https://pastebin.com/bkCSvJvM
16.  
17. FAQ:
18.  
19. attack_vector
20. --------------
21. email > URL to onedrive > TGZ > EXE > exfil to smtp.1and1.es:587
22.  
23. email_headers
24. --------------
25. Received: from server.cdcnet.hu (server.cdcnet.hu [89.132.146.50])
26. Received: from localhost (localhost.localdomain [127.0.0.1])
27. by server.cdcnet.hu (Postfix) with ESMTP id C787D3C4;
28. with ESMTP id MYnIjZSd9U-H; Wed, 10 Feb 2021 09:28:42 +0100 (CET)
29. Received: from cdcnet.hu (localhost [IPv6:::1])
30. by server.cdcnet.hu (Postfix) with ESMTP id 93B287C3;
31. Date: Wed, 10 Feb 2021 03:28:34 -0500
32. From: ПриватБанк | Оплата та виставлення рахунків <maglodkozvil@cdcnet.hu>
33. Subject: Копія платіжного доручення
34. In-Reply-To: <0d74b645da45a1b70836413c1bc66d84@artexsaigon.com.vn>
35. References: <CACMRaMXLhBoJfYAQhxqSAdNu-DnLF7ktbMLxpub8i3_ngFV=LQ@mail.gmail.com>
36. X-Sender: maglodkozvil@cdcnet.hu
37. User-Agent: Roundcube Webmail/1.2.3
38.  
39. files
40. --------------
41. SHA-256 c0b7cb8bb82ab3b25c87aaf5aee2679857c030bb216272dc49d2d3d157a9cc9d
42. File name Платіжне доручення.tgz [ GZIP ]
43. File size 484.20 KB (495821 bytes)
44.  
45. SHA-256 3dfa161fda2d67e9e1a2e90308a0bdc4ef9736b8f26152fd0264dd03591e66dd
46. File name Платіжне доручення.exe [ .NET executable ]
47. File size 917.50 KB (939520 bytes)
48.  
49. unpacked from exe
50. --------------
51. SHA-256 76d943b7ec3646eb97870f85001cae19a2cd552b72fb4dc00d354ce8715b80f9
52. File name child1.exe [ .NET executable ]
53. File size 407.50 KB (417280 bytes)
54.  
55. SHA-256 2c2fbae20d46eb124ff52f0894e82490e5e1c9f044d115a5fbc590d611bea6de
56. File name child2.exe [ .NET executable ]
57. File size 216.00 KB (221184 bytes)
58.  
59. SHA-256 2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
60. File name child3.exe [ .NET executable ]
61. File size 12.50 KB (12800 bytes)
62.  
63.  
64. activity
65. **************
66. PL_SCR current
67. https://onedrive.live.com/download?cid=44BBFEE50A375AFB&resid=44BBFEE50A375AFB!3900&authkey=AE3hRpZjTZyiajM
68.  
69. previous
70. (07/12/20) https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21282&authkey=AIrAAExjvidyMqA
71. (04/12/20) https://onedrive.live.com/download?cid=22B7C997915C7868&resid=22B7C997915C7868%21277&authkey=ANqq4raBmU8qCug
72.  
73. C2 212.227.15.158:587 [smtp.1and1.es]
74.  
75.  
76. !Steals private information from local Internet browsers
77. --------------
78. C:\Users\operator\AppData\Roaming\Opera Software\Opera Stable
79. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\profiles.ini
80. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\key4.db
81. C:\Users\operator\AppData\Roaming\Mozilla\Firefox\Profiles\axdea46y.default\logins.json
82. C:\Users\operator\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
83. C:\Users\operator\AppData\Roaming\Comodo\IceDragon\profiles.ini
84.  
85. !Harvests credentials from local FTP client softwares
86. --------------
87. C:\Users\operator\AppData\Roaming\FTPGetter\servers.xml
88. C:\Users\operator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
89. C:\Users\operator\AppData\Roaming\CoreFTP\sites.idx
90.  
91. !Harvests information related to installed mail clients
92. --------------
93. C:\Users\operator\AppData\Roaming\Postbox\profiles.ini
94. C:\Users\operator\AppData\Roaming\eM Client
95. C:\Users\operator\AppData\Roaming\Thunderbird\profiles.ini
96. C:\Users\operator\AppData\Roaming\The Bat!
97. C:\Users\operator\AppData\Roaming\Claws-mail\clawsrc
98. C:\Users\operator\AppData\Roaming\Pocomail\accounts.ini
99.  
100. netwrk
101. --------------
102. 212.227.15.158 smtp.1and1.es Client Hello
103.  
104. comp
105. --------------
106. Платіжне доручення.exe 1752 TCP 212.227.15.158 587 ESTABLISHED
107.  
108. proc
109. --------------
110. C:\Users\operator\Desktop\Платіжне доручення.exe
111. C:\Users\operator\Desktop\Платіжне доручення.exe
112.  
113. persist
114. --------------
115. n/a
116.  
117. drop
118. --------------
119. n/a
120.  
121. # # #
122. https://www.virustotal.com/gui/file/c0b7cb8bb82ab3b25c87aaf5aee2679857c030bb216272dc49d2d3d157a9cc9d/details
123. https://www.virustotal.com/gui/file/3dfa161fda2d67e9e1a2e90308a0bdc4ef9736b8f26152fd0264dd03591e66dd/details
124. https://analyze.intezer.com/analyses/195a9005-58aa-4c4d-ad11-757597d8e9f8
125.  
126. https://www.unpac.me/results/dc6cf224-7085-4875-8773-195289d3016e
127.  
128. https://www.virustotal.com/gui/file/76d943b7ec3646eb97870f85001cae19a2cd552b72fb4dc00d354ce8715b80f9/details
129. https://analyze.intezer.com/analyses/6ee98d18-9d85-49fa-b71c-076624798b66
130. https://www.virustotal.com/gui/file/2c2fbae20d46eb124ff52f0894e82490e5e1c9f044d115a5fbc590d611bea6de/details
131. https://analyze.intezer.com/analyses/86225281-c469-42a8-89f0-526359366616
132. https://www.virustotal.com/gui/file/2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849/details
133. https://analyze.intezer.com/analyses/0f1c3fd7-1071-4c49-bae7-2a64488a366b
134.  
135. VR
136.