Malware-Traffic-Analysis.net - 2022-11-22 - AgentTesla and Remcos RAT from malspam

2022-11-22 (TUESDAY) - AGENTTESLA AND REMCOS RAT FROM MALSPAM

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2022-11-22-AgentTesla-and-RemcosRAT-emails-6-examples.zip 4.1 MB (4,077,299 bytes)
2022-11-22-AgentTesla-and-RemcosRAT-malware-samples.zip 7.0 MB (6,994,202 bytes)
2022-11-22-AgentTesla-and-RemcosRAT-traffic-2-pcaps.zip 14.8 kB (14,815 bytes)

2022-11-21 (MONDAY) and 11-22 (TUESDAY) - AGENTTESLA AND REMCOS RAT FROM MALSPAM

INFECTION CHAIN:

- email --> attached container (disk image or rar archive) --> extracted malware EXE

AGENTTESLA MALWARE SAMPLES:

- f3f447eabd65cc05ba27dd7e90f0de0673ef0108727946e0bc0182329355bab2  BANK SLIP.rar
- 9c9334c90a2e559eed3e8fc03ab85709ab00394cc4c0f12bd481d70f30d3171b  PAYMENT COPY.exe

- 7e537f4b37920b7f563a064d0009dbbb6634d9764938cbc187c8c0b0acac8410  REMITTANCE SLIP.rar
- 5d01cd68bd03ac141e8fa6e428028bb8ac569988eeea8b96b78b06249e4f4e5c  REMITTANCE SLIP.exe

- a614b0e248944f7788f591664a67f2a025d60624546afdcf5c4ea0e6aaf00b2f  STATEMENT OF ACCOUNT OCT.rar
- a614b0e248944f7788f591664a67f2a025d60624546afdcf5c4ea0e6aaf00b2f  BANK TRANSACTION SLIP.rar [same file as above .rar]
- 5d01cd68bd03ac141e8fa6e428028bb8ac569988eeea8b96b78b06249e4f4e5c  STATEMENT OF ACCOUNT OCT.exe

-   453,936 bytes  BANK SLIP.rar
-   522,240 bytes  PAYMENT COPY.exe

-  1,189,376 bytes  REMITTANCE SLIP.exe
-    824,832 bytes  REMITTANCE SLIP.rar

-   824,841 bytes  STATEMENT OF ACCOUNT OCT.rar
-   824,841 bytes  BANK TRANSACTION SLIP.rar [same file as above .rar]
- 1,189,376 bytes  STATEMENT OF ACCOUNT OCT.exe

AGENTTESLA TRAFFIC FROM THE ABOVE MALWARE:

- 119.148.27[.]3 port 587 - mail.orogenicgroup-bd[.]com - TLS encrypted SMTP traffic

REMCOS RAT MALWARE SAMPLES:

- 42c2b5d9d4282d3b5f370f8b70a6b2d20cbff95795e3f7237febe682667c097e  EA808465.IMG
- 45cd8dd797af4fd769eef00243134c46c38bd9e65e15d7bd2e9b834d5e8b3095  EA808465.exe

- a3083d81c81fd392cae0af6452dc1789c58ff83a1eda9eeef8103e1cf007673b  SPECIFICATION.IMG
- 45cd8dd797af4fd769eef00243134c46c38bd9e65e15d7bd2e9b834d5e8b3095  Specification.exe

- 1,245,184 bytes  EA808465.IMG
-   493,129 bytes  EA808465.exe

- 1,245,184 bytes  SPECIFICATION.IMG
-   493,129 bytes  Specification.exe

REMCOS RAT TRAFFIC FOR THE ABOVE MALWARE:

- 185.246.220[.]39 port 1307 - drremcoz1.ddns[.]net - Remcos RAT C2 traffic
- geoplugin[.]net - GET /json.jp - location check by the infected Windows host

Click here to return to the main page.