2024-12-04 (WEDNESDAY): AGENTTESLA VARIANT USING FTP
NOTES:
- Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
ASSOCIATED FILES:
- 2024-12-04-IOCs-for-AgentTesla-variant-using-FTP.txt.zip 1.4 kB (1,392 bytes)
- 2024-12-04-AgentTesla-variant-malspam-1251-UTC.eml.zip 832.3 kB (832,315 bytes)
- 2024-12-04-AgentTesla-variant-using-FTP.pcap.zip 18.5 kB (18,539 bytes)
- 2024-12-04-AgentTesla-variant-malware.zip 1.6 MB (1,614,766 bytes)
2024-12-04 (WEDNESDAY): AGENTTESLA VARIANT USING FTP NOTES: - Not sure if this is Origin Logger, Snake Key Logger or VIP Recover/VIP Key Logger, but it's an AgentTelsa variant. - Saw a similar infection on 2024-11-25, but I didn't post a blog on it, only social media: -- https://www.linkedin.com/posts/bradley-duncan-13477868_malware-agenttesla-originlogger-activity-7266937901085548544-_hf6/ -- https://bsky.app/profile/malware-traffic.bsky.social/post/3lbsjahzpas2p HEADER LINES FROM EMAIL DISTRIBUTING THE MALWARE: - Received: from [94.141.120[.]32] (unknown [94.141.120[.]32]) [info removed]; Wed, 04 Dec 2024 12:51:16 +0000 (UTC) - From: =?UTF-8?B?U2VydGFuIMOHT0tFUg==?=- Subject: PURCHASE QUOTATION - Date: 4 Dec 2024 04:51:17 -0800 - Message-ID: <20241204045117.4A43A7B93A5F2488@acronas[.]com[.]tr - Attachment name: TECHNICAL SPECIFICATIONS.TAR ASSOCIATED MALWARE: - SHA256 hash: 5c98308c69c84a57214442e2cadc9f8f0fcdbab8e6050f9915ac336b6f1d59f0 - File size: 798,831 bytes - File name: TECHNICAL SPECIFICATIONS.TAR - File type: RAR archive data, v4, os: Win32 - File description: Email attachment, RAR archive containing EXE for AgentTesla variant - SHA256 hash: d1b068b826e3a9527cddd09866886caba895f390af930a9b35c027eb1c2db34c - File size: 1,096,704 bytes - File name: TECHNICAL SPECIFICATIONS.exe - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - File description: EXE extracted from the above RAR archive, AgentTelsa variant INFECTION TRAFFIC: - port 443 - api.ipify[.]org - HTTPS traffic, IP address check by infected host, not malicious - 192.254.225[.]136 port 21 - ftp.ercolina-usa[.]com - FTP control channel traffic - 192.254.225[.]136 various ports - ftp.ercolina-usa[.]com - FTP data traffic
IMAGES
Shown above: Screenshot of the email.
Shown above: TAR archive and its content.
Shown above: Malware persistent on the infected Windows host.
Shown above: Traffic for the FTP data exfiltration filtered in Wireshark.
Click here to return to the main page.