#AgentTesla_111018

1. #IOC #OptiData #VR #agenttesla #RAT #keylogger #RTF11882
2.  
3. https://pastebin.com/bkCSvJvM
4. previous_contact:
5. https://pastebin.com/JYShuXn4
6. FAQ:
7. https://radetskiy.wordpress.com/?s=11882
8. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
9.  
10. attack_vector
11. --------------
12. email (attach) RTF > 11882 > GET > %temp%\MyOtApp\MyOtApp.exe
13.  
14. email_headers
15. --------------
16. Received: from balaban54.com (hosted-by.blazingfast.io [188.209.52.205] (may be forged))
17. by srv3.victim1.com (8.15.2/8.15.2) with ESMTP id w9B92O6x072468
18. for <user0@org5.victim1.com>; Thu, 11 Oct 2018 12:02:24 +0300 (EEST)
19. (envelope-from info@balaban54.com)
20. Reply-To: BALABAN GLOBAL TRADING COMPANIES <info@balaban54.com>
21. From: "BALABAN GLOBAL TRADING COMPANIES" <info@balaban54.com>
22. To: user0@org5.victim1.com
23. Subject: KINDLY ATTEND TO OUR RFQ
24. Date: 11 Oct 2018 02:02:15 -0700
25.  
26. email_subjects
27. --------------
28. KINDLY ATTEND TO OUR RFQ
29.  
30. files
31. --------------
32. SHA-256 2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998
33. File name Quotation-1.doc
34. File size 8.14 KB
35.  
36. SHA-256 2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027
37. File name tt.exe !..This program must be run under Win32
38. File size 632 KB
39.  
40. activity
41. **************
42.  
43. netwrk
44. --------------
45. 111.118.215.27 lockoutindia{.} com GET /zwe/tt.exe HTTP/1.1 Mozilla/4.0
46. 216.146.43.71 checkip.dyndns{.} org GET / HTTP/1.1
47. DNS > MX Standard query response 0x2ffe A smtp.egest-eg{.} com CNAME us2.smtp.mailhostbox{.} com (!) SMTP
48. A 208.91.199.225 A 208.91.199.223 A 208.91.198.143 A 208.91.199.224
49.  
50. comp
51. --------------
52. EQNEDT32.EXE 2424 111.118.215.27 80 ESTABLISHED
53. [System Process] 0 216.146.43.71 80 TIME_WAIT
54. namehdtfhrf.exe 3068 208.91.198.143 25 SYN_SENT
55.  
56. proc
57. --------------
58. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
59. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
60. "C:\Users\operator\AppData\Roaming\namehdtfhrf.exe"
61. "C:\Windows\System32\eventvwr.exe"
62. "C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe" C:\tmp\3382a653-d961-4e00-b429-50a18e4a7fc0.tmp
63. "C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe" C:\tmp\8ad986ff-cc55-4a6a-91ac-6a48c89ba336.tmp
64. "C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe" C:\tmp\8fe3b2a2-8f4c-4c22-a591-c689c77342e8.tmp
65.  
66. persist
67. --------------
68. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11.10.2018 21:08
69. MyOtApp c:\tmp\myotapp\myotapp.exe 02.02.1992 9:11
70.  
71. drop
72. --------------
73. C:\tmp\MyOtApp\MyOtApp.exe
74. C:\tmp\15610947-2987-4d1b-8f5a-71573168b9ca.exe
75. C:\tmp\49c3ca12-7ed5-4e6f-98f6-d14f050a07e1.exe
76. C:\tmp\f2d8d505-723e-42b0-a0c6-5cc96406537b.exe
77. C:\tmp\86dabe49-9033-4063-91f4-d1f67d37da60.exe
78. C:\Users\operator\AppData\Roaming\namehdtfhrf.exe
79.  
80. # # #
81. https://www.virustotal.com/#/file/2d03d1f52b4c84ae9912c3f5c3b95ebfb909098f363ac9696525ed6f6433f998/community
82. https://www.virustotal.com/#/file/2c4e38b756dfdecaa51836c5c090f56375f16a55f39e5726e4b43bfc53b00027/community
83. https://analyze.intezer.com/#/analyses/6cb94330-23ee-4756-8755-3b714d671cd3
84.  
85. A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.