Thursday, April 29, 2021

Threat Library - Agent Tesla

 Agent Tesla

---------------------------------------------------

date: 5/5/2021

delivery: Unknown

persistence: scheduled Task, \Updates\SPjSKjh, c:\users\<userid>\appdata\roaming\spjskih.exe

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState, StartKeyLogger), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: filname similar to previous (vbc.exe) and other patterns match like re-launch EXE after 1min45sec, smtp type c2 possible, etc.

special notes: .net executable, starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft, also this has "Snake Keylogger" inside it per strings, as well as API.Telegram.org connections and possible SMTP c2 with email address

samples: 

EXE - https://www.virustotal.com/gui/file/089d065fe8e39f8b19a726cb15ac216e352a5576f446c5fc38486f1fbb7a1d9c/detection

links: 

https://twitter.com/neonprimetime/status/1389964247942279168

screenshots: 













---------------------------------------------------


date: 4/29/2021

delivery: email [Subject: New PO#422328, ISO (PO#0422328.pdf.iso) w/ EXE inside (PO#04222328.pdf.exe)]

persistence: startup registry entry (hkcu\software\microsoft\currentversion\run, gqxRqe, c:\users\<userid>appdata\roaming\gqxRqe\gqxRqe.exe)

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: strings in memory matching previously seen ( %mailaddres%%password%%smtp%%toemail% )

special notes: .net executable, link to torproject.org download in .net code, code for webrequest and smtpclient, double file extension (PO#04222328.pdf.exe), starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, only gets to ~17mb or 18mb, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft

samples: 

ISO - https://www.virustotal.com/gui/file/f07b343d5a7b752a5b396b06174428a66ab98d8bb28bf33e9ea911797c32af2d/detection

EXE - https://www.virustotal.com/gui/file/83bcf31fc0d06b39c6cce6bc074cde9033f5e378f0104da887ec3f924f73376a/detection

links: 

https://twitter.com/neonprimetime/status/1387837559531786243

screenshots: 










---------------------------------------------------

 date: 10/13/2020

delivery: email [Subject: Request for Quotation, Link to DOC (http://107.173.219[.]56/document ), downloads EXE from same domain ( http://107.173.219[.]56/tmt.exe ), runs Equation Editor exploit (EQNEDT32.EXE)]

persistence: unknown

capabilities (per memory strings): unknown

c2s: smtp.yandex[.]ru

identification method: twitter replies

special notes: child processes of "vbc.exe" and "RegAsm.exe"

samples: 

DOC - https://app.any.run/tasks/0410129a-646d-4c19-8207-081679403171/

links: 

https://twitter.com/neonprimetime/status/1316107602942668800

screenshots: 








---------------------------------------------------

6 comments:

  1. Are you in need of finance? we give out guarantee cash at 3% interest rate. Contact us on any kind of finance now: financialserviceoffer876@gmail.com whatsapp Number +918929509036 Dr James Eric Finance Pvt Ltd

    ReplyDelete
  2. I was thrown out of my own house was sleeping in a hotel for weeks she also took possession of my son could only see him once a week then I found out she was in love with my accountant all these while so I went online and I came across a Russian private investigator who help me get all my properties and my accounts back even my company back how he did these I don’t know but I gave all the information he asked for and followed all his instructions and now I’m happy my life’s better now.
    Thanks to HACKINTECHNOLOGY@CYBERSERVICES.COM
    I just said I should share my own story here
    Thank you

    ReplyDelete
  3. Hello guys I would wish to share my testimony on how I got my edd funds I have been trying to get my edd done fit the two months i was told to first certify for 3 weeks which I had paid for but my edd card wasn’t delivered to me I changed my mail and called for card replacement and I was told I would get it in the next 10 working days but still nothing not until I was introduced to a company and in the next 8 working days I got my card and also few days later I got my funds
    Website: http://Alphasecuritycorporation.com
    Phone number: +12132951376

    ReplyDelete
  4. Hello to everyone out here, I am here to share the unexpected miracle that happened to me … My name is Susan Christian , I live in London, UK. we got married for more than 9 years and have gotten two kids. thing were going well with us and we are always happy. until one day my husband started to behave in a way i could not understand, i was very confused by the way he treat me and the kids. later that month he did not come home again and he called me that he want a divorce, i asked him what have i done wrong to deserve this from him, all he was saying is that he want a divorce that he hate me and do not want to see me again in his life, i was mad and also frustrated do not know what to do, i was sick for more than 2 weeks because of the divorce. i love him so much he was everything to me without him my life is incomplete. i told my sister and she told me to contact a spell caster, i never believe in all this spell casting of a thing. i just want to try if something will come out of it. i contacted Dr Emu for the return of my husband to me, they told me that my husband have been taken by another woman, that she cast a spell on him that is why he hate me and also want us to divorce. then they told me that they have to cast a spell on him that will make him return to me and the kids, they casted the spell and after 24 hours my husband called me and he told me that i should forgive him, he started to apologize on phone and said that he still live me that he did not know what happen to him that he left me. it was the spell that he Dr Emu casted on him that make him come back to me today, me and my family are now happy again today. thank you Dr Emu for what you have done for me i would have been nothing today if not for your great spell. i want you my friends who are passing through all this kind of love problem of getting back their husband, wife , or ex boyfriend and girlfriend to contact Dr Emu ,if you need his help you can contact him through his private mail: emutemple@gmail.com or you can contact him through his website https://emutemple.wordpress.com/ fb page Https://web.facebook.com/Emu-Temple-104891335203341 and you will see that your problem will be solved without any delay.

    ReplyDelete
  5. I know of a group of private investigators who can help you with they are also hackers but prefer to be called private investigators They can help with your bitcoin issues and your clients will be happy doing business with you,they can also help yo with your bad credit score,hacking into phones,binary recovery,wiping criminal records,increase school score, stolen files in your office or school,blank atm etc. Just name it and you will live a better life
    Contact +1(407) 777-4240
    Premiumhackservices@gmail.com

    ReplyDelete
  6. He is the best out there,I tested him and he delivered a good job,he helped me settle bank loans,he also helped my son upgrade his scores at high school final year which made him graduate successfully and he gave my son free scholarship into the college,all I had to do was to settle the bills for the tools on the job,I used $500 to get a job of $50000 done all thanks to Robertson he saved me from all my troubles,sharing this is how I can show gratitude in return for all he has done for me and my family

    Contact premiumhackservices@gmail.com

    Text/call ‪+1 (984) 733‑3673‬

    WhatsApp ‪+1 (984) 733‑3673‬

    Telegram ‪+1 (984) 733‑3673‬

    ReplyDelete