2024-12-04 (WEDNESDAY): AGENTTESLA VARIANT USING FTP

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

ASSOCIATED FILES:

• 2024-12-04-IOCs-for-AgentTesla-variant-using-FTP.txt.zip   1.4 kB   (1,392 bytes)
• 2024-12-04-AgentTesla-variant-malspam-1251-UTC.eml.zip   832.3 kB   (832,315 bytes)
• 2024-12-04-AgentTesla-variant-using-FTP.pcap.zip   18.5 kB   (18,539 bytes)
• 2024-12-04-AgentTesla-variant-malware.zip   1.6 MB   (1,614,766 bytes)

2024-12-04 (WEDNESDAY): AGENTTESLA VARIANT USING FTP

NOTES:

- Not sure if this is Origin Logger, Snake Key Logger or VIP Recover/VIP Key Logger, but it's an AgentTelsa variant.
- Saw a similar infection on 2024-11-25, but I didn't post a blog on it, only social media:
  -- https://www.linkedin.com/posts/bradley-duncan-13477868_malware-agenttesla-originlogger-activity-7266937901085548544-_hf6/
  -- https://bsky.app/profile/malware-traffic.bsky.social/post/3lbsjahzpas2p

HEADER LINES FROM EMAIL DISTRIBUTING THE MALWARE:

- Received: from [94.141.120[.]32] (unknown [94.141.120[.]32])
  [info removed]; Wed, 04 Dec 2024 12:51:16 +0000 (UTC)
- From: =?UTF-8?B?U2VydGFuIMOHT0tFUg==?= 
- Subject: PURCHASE QUOTATION
- Date: 4 Dec 2024 04:51:17 -0800
- Message-ID: <20241204045117.4A43A7B93A5F2488@acronas[.]com[.]tr
- Attachment name: TECHNICAL SPECIFICATIONS.TAR

ASSOCIATED MALWARE:

- SHA256 hash: 5c98308c69c84a57214442e2cadc9f8f0fcdbab8e6050f9915ac336b6f1d59f0
- File size: 798,831 bytes
- File name: TECHNICAL SPECIFICATIONS.TAR
- File type: RAR archive data, v4, os: Win32
- File description: Email attachment, RAR archive containing EXE for AgentTesla variant

- SHA256 hash: d1b068b826e3a9527cddd09866886caba895f390af930a9b35c027eb1c2db34c
- File size: 1,096,704 bytes
- File name: TECHNICAL SPECIFICATIONS.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: EXE extracted from the above RAR archive, AgentTelsa variant

INFECTION TRAFFIC:

- port 443 - api.ipify[.]org - HTTPS traffic, IP address check by infected host, not malicious
- 192.254.225[.]136 port 21 - ftp.ercolina-usa[.]com - FTP control channel traffic
- 192.254.225[.]136 various ports - ftp.ercolina-usa[.]com - FTP data traffic

IMAGES

Shown above:  Screenshot of the email.

Shown above:  TAR archive and its content.

Shown above:  Malware persistent on the infected Windows host.

Shown above:  Traffic for the FTP data exfiltration filtered in Wireshark.

Click here to return to the main page.