2024-12-04 (WEDNESDAY): AGENTTESLA VARIANT USING FTP

NOTES:

ASSOCIATED FILES:

 

2024-12-04 (WEDNESDAY): AGENTTESLA VARIANT USING FTP

NOTES:

- Not sure if this is Origin Logger, Snake Key Logger or VIP Recover/VIP Key Logger, but it's an AgentTelsa variant.
- Saw a similar infection on 2024-11-25, but I didn't post a blog on it, only social media:
  -- https://www.linkedin.com/posts/bradley-duncan-13477868_malware-agenttesla-originlogger-activity-7266937901085548544-_hf6/
  -- https://bsky.app/profile/malware-traffic.bsky.social/post/3lbsjahzpas2p

HEADER LINES FROM EMAIL DISTRIBUTING THE MALWARE:

- Received: from [94.141.120[.]32] (unknown [94.141.120[.]32])
  [info removed]; Wed, 04 Dec 2024 12:51:16 +0000 (UTC)
- From: =?UTF-8?B?U2VydGFuIMOHT0tFUg==?= 
- Subject: PURCHASE QUOTATION
- Date: 4 Dec 2024 04:51:17 -0800
- Message-ID: <20241204045117.4A43A7B93A5F2488@acronas[.]com[.]tr
- Attachment name: TECHNICAL SPECIFICATIONS.TAR

ASSOCIATED MALWARE:

- SHA256 hash: 5c98308c69c84a57214442e2cadc9f8f0fcdbab8e6050f9915ac336b6f1d59f0
- File size: 798,831 bytes
- File name: TECHNICAL SPECIFICATIONS.TAR
- File type: RAR archive data, v4, os: Win32
- File description: Email attachment, RAR archive containing EXE for AgentTesla variant

- SHA256 hash: d1b068b826e3a9527cddd09866886caba895f390af930a9b35c027eb1c2db34c
- File size: 1,096,704 bytes
- File name: TECHNICAL SPECIFICATIONS.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: EXE extracted from the above RAR archive, AgentTelsa variant

INFECTION TRAFFIC:

- port 443 - api.ipify[.]org - HTTPS traffic, IP address check by infected host, not malicious
- 192.254.225[.]136 port 21 - ftp.ercolina-usa[.]com - FTP control channel traffic
- 192.254.225[.]136 various ports - ftp.ercolina-usa[.]com - FTP data traffic

 

IMAGES


Shown above:  Screenshot of the email.

 


Shown above:  TAR archive and its content.

 


Shown above:  Malware persistent on the infected Windows host.

 


Shown above:  Traffic for the FTP data exfiltration filtered in Wireshark.

 

Click here to return to the main page.