#agenttesla_040821

1. #IOC #OptiData #VR #AgentTesla #AgentTeslaV3 #TGZ
2.  
3. https://pastebin.com/yTFWfN94
4.  
5. previous_contact:
6. 25/02/21 https://pastebin.com/YCVjJ8A6
7. 10/02/21 https://pastebin.com/9JXvM5ix
8. 07/12/20 https://pastebin.com/20AVUqZ6
9. 04/12/20 https://pastebin.com/PYFMBfkg
10. 15/06/20 https://pastebin.com/pma5MQAW
11. 12/06/20 https://pastebin.com/SKNts0Es
12. 29/10/19 https://pastebin.com/RinpBPvy
13. 03/09/19 https://pastebin.com/zhJvDz8M
14. 09/01/19 https://pastebin.com/MdDfZDdb
15. 16/10/18 https://pastebin.com/d5DxTRrB
16. 04/10/18 https://pastebin.com/JYShuXn4
17. 11/10/18 https://pastebin.com/bkCSvJvM
18.  
19. FAQ:
20. https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
21.  
22. attack_vector
23. --------------
24. email > URL to onedrive > TGZ > EXE > !delay 3 min! > exfil to smtp.gmail.com:587
25.  
26.  
27. email_headers
28. --------------
29. Received: from utopia1.vservers.es (utopia1.vservers.es [188.164.199.149])
30. Received: from webmail.ingesal.es (localhost.localdomain [IPv6:::1])
31. Date: Wed, 04 Aug 2021 05:02:37 +0200
32. From: Оплата та виставлення рахунків Укрсиббанк <[email protected]>
33. Subject: Підтвердження рахунків-фактур, сплачених у встановлений термін
34. User-Agent: Roundcube Webmail/1.4.11
35. X-Sender: [email protected]
36.  
37.  
38. files
39. --------------
40. SHA-256 8018b63bffbfcea96953755d8a07df253bbca2b11c3350d4002ea9f281f60f12
41. File name Заплачені рахунки-фактури.tgz [ gzip compressed data ]
42. File size 647.74 KB (663285 bytes)
43.  
44. SHA-256 ba064650e5c04853b071b9213fc1f6629ea1ddc226ac904a285b1eb3cf414e99
45. File name Заплачені рахунки-фактури.exe [ .NET executable ]
46. File size 795.00 KB (814080 bytes)
47.  
48.  
49. activity
50. **************
51. PL_SCR https://onedrive.live.com/download?cid=268BF90C75B12557&resid=268BF90C75B12557%21121&authkey=AKR4nvAsgk1eHjc
52.  
53. C2 [smtp.gmail.com] 172.217.218.108, 108.177.127.108
54.  
55. netwrk
56. --------------
57. 1.1.1.1 Standard query 0xc545 A smtp.gmail.com
58. 172.217.218.108 51451 → 587 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
59.  
60. comp
61. --------------
62. Заплачені рахунки-фактури.exe 3408 TCP 108.177.127.108 587 ESTABLISHED
63. Заплачені рахунки-фактури.exe 2100 TCP 172.217.218.108 587 ESTABLISHED
64.  
65. proc
66. --------------
67. C:\Users\operator\Desktop\Заплачені рахунки-фактури.exe
68. C:\Users\operator\Desktop\Заплачені рахунки-фактури.exe
69. C:\Users\operator\Desktop\Заплачені рахунки-фактури.exe
70.  
71. persist
72. --------------
73. n/a
74.  
75. drop
76. --------------
77. n/a
78.  
79. # # #
80. VT details
81. https://www.virustotal.com/gui/file/8018b63bffbfcea96953755d8a07df253bbca2b11c3350d4002ea9f281f60f12/details
82. https://www.virustotal.com/gui/file/ba064650e5c04853b071b9213fc1f6629ea1ddc226ac904a285b1eb3cf414e99/details
83. https://analyze.intezer.com/analyses/688bcd2d-3013-4f9f-823a-3f78edd27f1f
84.  
85. VR