#agenttesla_170124

1. #IOC #OptiData #VR #cve_2017_11882 #EQNEDT32.EXE #AgentTesla #SMTP
2.  
3. https://pastebin.com/nVTHh0rE
4.  
5. previous_contact:
6. 05/09/23 https://pastebin.com/fTQi4LSs
7. 22/08/22 https://pastebin.com/3JGCE5hN
8. 25/02/21 https://pastebin.com/YCVjJ8A6
9. 10/02/21 https://pastebin.com/9JXvM5ix
10. 07/12/20 https://pastebin.com/20AVUqZ6
11.  
12. FAQ:
13. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
14.  
15. attack_vector
16. --------------
17. email attach .doc (RTF) > OLE (1182) > GET .exe > exfil by 587
18.  
19. # # # # # # # #
20. email_headers
21. # # # # # # # #
22. Date: 16 Jan 2024 08:16:30 -0800
23. Subject: RE: ADVANCE TT SLIP // DECEMBER 2023 SOA PAYMENT
24. From: Zoey wen <zoey_wen@unifelix.com>
25. Received: from unknown (HELO unifelix.com) ([38.154.207.220])
26. Message-ID: <20240116081630.E8FACCD2BCF942A7@unifelix.com>
27.  
28. # # # # # # # #
29. files
30. # # # # # # # #
31. SHA-256 b05e4eb783c9785bbd7d9453609d23379f5bab8d5e09e00b75b634146e8bdb76
32. File name PROFORMA SOA.doc [ Rich Text Format data, version 1 ]
33. File size 316.57 KB (324168 bytes)
34.  
35. SHA-256 c99591e2e00cc7625f8b8af1eeb04b19b76e5b44f74669fe6b899fbc7b201f6b
36. File name alphazx.exe [ PE32 executable, .NET executable ]
37. File size 565.50 KB (579072 bytes)
38.  
39. # # # # # # # #
40. activity
41. # # # # # # # #
42.  
43. PL_SCR civil_topendpower_top /_errorpages /alphazx.exe
44.  
45. C2 mail_kp_gov_pk : 587 [103_240_220_37]
46.  
47.  
48. netwrk
49. --------------
50. 104_21_8_130 civil_topendpower_top 80 HTTP GET /_errorpages/alphazx.exe HTTP/1.1 Mozilla/4.0
51. 208_95_112_1 ip-api_com 80 HTTP GET /line/?fields=hosting HTTP/1.1
52. 103_240_220_37 mail_kp_gov_pk 587 SMTP TLSv1.2 Client Hello
53.  
54. comp
55. --------------
56. EQNEDT32.EXE 104_21_8_130 80 ESTABLISHED
57. alpha28464.exe 208_95_112_1 80 ESTABLISHED
58. alpha28464.exe 103_240_220_37 587 ESTABLISHED
59.  
60. proc
61. --------------
62. C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
63.  
64. {another_context}
65.  
66. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
67. C:\Users\operator\AppData\Roaming\alpha28464.exe
68. C:\Users\operator\AppData\Roaming\alpha28464.exe
69.  
70. persist
71. --------------
72. n/a
73.  
74. drop
75. --------------
76. %temp%\Temporary Internet Files\Content.IE5\5R2UONLM\alphazx[1].htm
77. C:\Users\operator\AppData\Roaming\alpha28464.exe
78.  
79. # # # # # # # #
80. additional info
81. # # # # # # # #
82. {
83. "Exfil Mode": "SMTP",
84. "Port": "587",
85. "Host": "mail_kp_gov_pk",
86. "Username": "schedule-iv.hta@kp.gov.pk",
87. "Password": "Police1@home"
88. }
89.  
90. # # # # # # # #
91. VT & Intezer
92. # # # # # # # #
93. https://www.virustotal.com/gui/file/b05e4eb783c9785bbd7d9453609d23379f5bab8d5e09e00b75b634146e8bdb76/details
94. https://analyze.intezer.com/analyses/a60cb8b5-b276-465f-b6f1-df56df180c2f
95. https://www.virustotal.com/gui/file/c99591e2e00cc7625f8b8af1eeb04b19b76e5b44f74669fe6b899fbc7b201f6b/details
96. https://analyze.intezer.com/analyses/a60cb8b5-b276-465f-b6f1-df56df180c2f/sub/c8b2afcc-9097-4eb1-bf59-101d86acce7f
97.  
98. VR