/
2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt
52 lines (38 loc) · 2.49 KB
/
2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
2023-01-05 (THURSDAY) - MALSPAM CAUSES INFECTION FOR AGENT TESLA VARIANT, POSSIBLY ORIGINLOGGER
INFECTION CHAIN:
- email --> attached .iso file --> contains .exe file --> .exe loads encoded binary --> binary decoded & used to generate Agent Telsa-style traffic
NOTES:
- This malware triggers alerts for Agent Tesla, but it is likely OriginLogger as discussed here: https://unit42.paloaltonetworks.com/originlogger/
- The malware EXE used for this infection rettrieves XOR-encoded binary from a web server.
- The XOR-encoded binary is decoded into a malicious DLL that is used to generate Agent Tesla-style traffic.
- The decoded DLL is not saved to disk.
- The infected host will start thise entire process again after the host is rebooted, or the victim logs off & logs back in.
EMAIL INFORMATION FROM MALSPAM:
- Received: from multisped.com.mk (multisped.com.mk [185.250.254.32]); Thu, 5 Jan 2023 04:18:36 +0000 (UTC)
- From: JPMorgan Chase Bank N.A <goran.apostolov@multisped.com.mk>
- Subject: BANK PAYMENT NOTIFICATION
- Attachment name: Payment Copy_Chase Bank_Pdf.iso
ASSOCIATED FILES:
- SHA256 hash: 926a3142270a52f8afb93490d5dd21f0ca23bc0815ee6630068cf6409d8ee448
- File size: 1,245,184 bytes
- File name: Payment Copy_Chase Bank_Pdf.iso
- File type: UDF filesystem data (version 1.5) 'PAYMENT_COPY_CHASE_BANK_PDF'
- File description: This file mounts as a disk image on Windows and Mac hosts
- SHA256 hash: 5016ba92afac1c2b2a2a6b17a09406869bd6f58cfe680f25030af1a1ba1c29a2
- File size: 26,112 bytes
- File name: Payment Copy_Chase Bank_Pdf.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE retreived from the above .iso file
- SHA256 hash: 90d977ca0a3331d78005912d2b191d26e33fa2c6ef17602d6173164ba83fd85e
- File size: 664,576 bytes
- File location: hxxp://savory.com[.]bd/sav/Ztvfo.png
- File type: data
- File description: Malicious binary XOR-ed with the ASCII string: Sfhdjkpkowgnpcgoshb
- SHA256 hash: 3883d374ba0736254a89e310b86f3c3769adcaed471b103b5c0a8a2f16cf5c8d
- File size: 664,576 bytes
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Malicious DLL file decoded from the above binary
INFECTION TRAFFIC:
- 45.56.99[.]101 port 80 - savory.com[.]bd - GET /sav/Ztvfo.png
- port 443 - api.ipify.org - HTTPS traffic, IP address by the infected Windows host, not inherently malicious
- 204.11.58[.]28 port 587 - mail.transgear[.]in - unencrypted SMTP traffic generated by Agent Tesla variant