#agenttesla_050923

1. #IOC #OptiData #VR #cve_2017_1182 #EQNEDT32.EXE #ARS_Loader #VBS #AgentTesla
2.  
3. https://pastebin.com/fTQi4LSs
4.  
5. previous_contact:
6. 22/08/22 https://pastebin.com/3JGCE5hN
7. 25/02/21 https://pastebin.com/YCVjJ8A6
8. 10/02/21 https://pastebin.com/9JXvM5ix
9. 07/12/20 https://pastebin.com/20AVUqZ6
10. ...
11.  
12. FAQ:
13. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
14.  
15. attack_vector
16. --------------
17. email attach .xlam > OLE (1182) > ps GET .vbs > ps drop and decode .txt > exfil by 587
18.  
19.  
20. # # # # # # # #
21. email_headers
22. # # # # # # # #
23. Subject: PURCHASE ORDER
24. Received: from mail0.kijuso.com ([79.141.165.228])
25. From: Alexandra Iordache <sales@kijuso.com>
26. Date: 4 Sep 2023 21:55:18 -0700
27. Message-ID: <20230904215518.9928252E6E5E2FBC@kijuso.com>
28.  
29.  
30. # # # # # # # #
31. files
32. # # # # # # # #
33. SHA-256 efcfc634c5c7f22eb1e2631e5c9b95812e218b8e949f7d49060c237ce1ce6050
34. File name PURCHASE ORDER .xlam [OLE with cve-2017-1182 exploit]
35. File size 735.30 KB (752952 bytes)
36.  
37. SHA-256 a6ef554485f41737fa531b9e3cd60c27ed677d1ac4c479e093b312c5dfd45a6e
38. File name odumodu.vbs [ARS Loader]
39. File size 186.67 KB (191152 bytes)
40.  
41. SHA-256 637a144c6fd9c272a54dfa0afdb232409d1a73c4b0917517cba1e762d1b8b7c8
42. File name abachauba.txt [reverse Base64 encoded Agent Tesla]
43. File size 218.67 KB (223916 bytes)
44.  
45.  
46. # # # # # # # #
47. activity
48. # # # # # # # #
49.  
50. PL_SCR h11p:\\94.156.253{ .247/odumodu.vbs [loader]
51. h11ps:\\uploaddeimagens{ .com{ .br/images/004/563/621/original/universo_vbs.jpeg?1690931855 + h11p:\\94.156.253{ .247/abachauba.txt [Agent Tesla]
52.  
53. C2 194.36.191.196 mail{ .sokilitok{ .info 587
54.  
55.  
56. netwrk
57. --------------
58. 94.156.253.247 80 HTTP GET /odumodu.vbs HTTP/1.1 Mozilla/4.0
59. 188.114.97.9 uploaddeimagens{ .com.br 443 TLSv1 Client Hello
60. 94.156.253.247 80 HTTP GET /abachauba.txt HTTP/1.1
61. 194.36.191.196 mail{ .sokilitok{ .info 587 TLSv1.2 Client Hello
62.  
63. comp
64. --------------
65. RegAsm.exe 194.36.191.196 587 ESTABLISHED
66.  
67.  
68. proc
69. --------------
70. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
71.  
72. {another_context}
73.  
74. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
75. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\nogoforget.vbs"
76. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command ...
77. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command...
78. "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79.  
80.  
81. persist
82. --------------
83. n/a
84.  
85.  
86. drop
87. --------------
88. %temp%\Temporary Internet Files\Content.IE5\JB5KY3IZ\odumodu[1].vbs
89. C:\Users\operator\AppData\Roaming\nogoforget.vbs
90.  
91.  
92. # # # # # # # #
93. additional info
94. # # # # # # # #
95. https://bazaar.abuse.ch/browse/tag/chi28--awelleh3-top/ by @JAMESWT_MHT https://twitter.com/JAMESWT_MHT
96.  
97.  
98. # # # # # # # #
99. VT & Intezer
100. # # # # # # # #
101. https://www.virustotal.com/gui/file/efcfc634c5c7f22eb1e2631e5c9b95812e218b8e949f7d49060c237ce1ce6050/details
102. https://analyze.intezer.com/analyses/fce1aa61-c293-4a31-a7e7-ff6e314e5e63/iocs
103. https://www.virustotal.com/gui/file/a6ef554485f41737fa531b9e3cd60c27ed677d1ac4c479e093b312c5dfd45a6e/details
104. https://analyze.intezer.com/analyses/68b968f0-e710-4570-aa80-fd07478cc174
105. https://www.virustotal.com/gui/file/637a144c6fd9c272a54dfa0afdb232409d1a73c4b0917517cba1e762d1b8b7c8/details
106.  
107. VR