Malware-Traffic-Analysis.net - 2024-06-10: Malspam pushing OriginLogger (AgentTesla)

2024-06-10 (MONDAY): MALSPAM PUSHING ORIGINLOGGER (AGENTTESLA)

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2024-06-10-IOCs-for-OriginLogger.txt.zip 1.1 kB (1,094 bytes)

2024-06-10-IOCs-for-OriginLogger.txt (1,419 bytes)

2024-06-10-OriginLogger-malspam-1534-UTC.eml.zip 715.7 kB (715,655 bytes)

2024-06-10-OriginLogger-malspam-1534-UTC.eml (946,286 bytes)

2024-06-10-OriginLogger-infection.pcap.zip 10.9 kB (10,948 bytes)

2024-06-10-OriginLogger-infection.pcap (15,528 bytes)

2024-06-10-OriginLogger-malware-and-artifacts.zip 1.4 MB (1,386,576 bytes)

2024-06-10-IOCs-for-OriginLogger.txt (1,419 bytes)

2024-06-10-registry-update-for-OriginLogger.txt (594 bytes)

SOA MAY 2024.exe (731,136 bytes)

SOA MAY 2024.rar (685,220 bytes)

2024-06-10 (MONDAY): MALSPAM PUSHING ORIGINLOGGER (AGENTTESLA)

NOTES:

- For more information on the name change from AgentTesla to OriginLogger, see:
  https://unit42.paloaltonetworks.com/originlogger/

ASSOCIATED EMAIL:

- Received: from unassigned.quadranet[.]com (unknown [155.94.210[.]73]) [info removed]; Mon, 2024-06-10 15:34:41 UTC
- From: albee.leun@expressairhkg[.]com
- Subject: SOA_MAY_ 2024
- Date: 2024-06-10 15:34:34 UTC
- Message-ID: <20240610083433.3E9560A3D24EAB5D@expressairhkg[.]com>
- Attachment name: SOA MAY 2024.rar

ASSOCIATED MALWARE:

- SHA256 hash: 891b5bb34a57b6f58d635f8c3c64e9f1ca2fec59030fb9094fa3efebfb5b8729
- File size: 685,220 bytes
- File name: SOA MAY 2024.rar
- File type: RAR archive data, v5
- File description: Email attachment, RAR archive containing malicious file for OriginLogger (AgentTesla)

- SHA256 hash: 4210e25c33df901302fe42704fcd0832729e4efade9da5abe6a8f2512244024f
- File size: 731,136 bytes
- File name: SOA MAY 2024.exe
- Persitent location after infection: C:\Users\[username]\AppData\Roaming\jBpFfg\jBpFfg.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: EXE for OriginLogger (AgentTesla) extracted from the above RAR archive

INFECTION TRAFFIC:

- port 443 - api.ipify[.]org - HTTPS traffic
- 82.209.169[.]34 port 587 - mail.bredband2[.]com - TLS-encrypted SMTP traffic

IMAGES

Shown above: Screenshot from the email.

Shown above: Malicious EXE extracted from the RAR attachment.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: OriginLogger (AgentTesla) malware persistent on the infected Windows host through a registry update.

Click here to return to the main page.