Agent Tesla
---------------------------------------------------
date: 5/5/2021
delivery: Unknown
persistence: scheduled Task, \Updates\SPjSKjh, c:\users\<userid>\appdata\roaming\spjskih.exe
capabilities (per memory strings): Keylogger (KeyDown, KeyboardState, StartKeyLogger), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)
c2s: unknown
identification method: filname similar to previous (vbc.exe) and other patterns match like re-launch EXE after 1min45sec, smtp type c2 possible, etc.
special notes: .net executable, starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft, also this has "Snake Keylogger" inside it per strings, as well as API.Telegram.org connections and possible SMTP c2 with email address
samples:
EXE - https://www.virustotal.com/gui/file/089d065fe8e39f8b19a726cb15ac216e352a5576f446c5fc38486f1fbb7a1d9c/detection
links:
https://twitter.com/neonprimetime/status/1389964247942279168
screenshots:
---------------------------------------------------
date: 4/29/2021
delivery: email [Subject: New PO#422328, ISO (PO#0422328.pdf.iso) w/ EXE inside (PO#04222328.pdf.exe)]
persistence: startup registry entry (hkcu\software\microsoft\currentversion\run, gqxRqe, c:\users\<userid>appdata\roaming\gqxRqe\gqxRqe.exe)
capabilities (per memory strings): Keylogger (KeyDown, KeyboardState), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)
c2s: unknown
identification method: strings in memory matching previously seen ( %mailaddres%%password%%smtp%%toemail% )
special notes: .net executable, link to torproject.org download in .net code, code for webrequest and smtpclient, double file extension (PO#04222328.pdf.exe), starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, only gets to ~17mb or 18mb, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft
samples:
ISO - https://www.virustotal.com/gui/file/f07b343d5a7b752a5b396b06174428a66ab98d8bb28bf33e9ea911797c32af2d/detection
EXE - https://www.virustotal.com/gui/file/83bcf31fc0d06b39c6cce6bc074cde9033f5e378f0104da887ec3f924f73376a/detection
links:
https://twitter.com/neonprimetime/status/1387837559531786243
screenshots:
date: 10/13/2020
delivery: email [Subject: Request for Quotation, Link to DOC (http://107.173.219[.]56/document ), downloads EXE from same domain ( http://107.173.219[.]56/tmt.exe ), runs Equation Editor exploit (EQNEDT32.EXE)]
persistence: unknown
capabilities (per memory strings): unknown
c2s: smtp.yandex[.]ru
identification method: twitter replies
special notes: child processes of "vbc.exe" and "RegAsm.exe"
samples:
DOC - https://app.any.run/tasks/0410129a-646d-4c19-8207-081679403171/
links:
https://twitter.com/neonprimetime/status/1316107602942668800
screenshots:
---------------------------------------------------
Are you in need of finance? we give out guarantee cash at 3% interest rate. Contact us on any kind of finance now: financialserviceoffer876@gmail.com whatsapp Number +918929509036 Dr James Eric Finance Pvt Ltd
ReplyDeleteI was thrown out of my own house was sleeping in a hotel for weeks she also took possession of my son could only see him once a week then I found out she was in love with my accountant all these while so I went online and I came across a Russian private investigator who help me get all my properties and my accounts back even my company back how he did these I don’t know but I gave all the information he asked for and followed all his instructions and now I’m happy my life’s better now.
ReplyDeleteThanks to HACKINTECHNOLOGY@CYBERSERVICES.COM
I just said I should share my own story here
Thank you
I know of a group of private investigators who can help you with they are also hackers but prefer to be called private investigators They can help with your bitcoin issues and your clients will be happy doing business with you,they can also help yo with your bad credit score,hacking into phones,binary recovery,wiping criminal records,increase school score, stolen files in your office or school,blank atm etc. Just name it and you will live a better life
ReplyDeleteContact +1(407) 777-4240
Premiumhackservices@gmail.com
He is the best out there,I tested him and he delivered a good job,he helped me settle bank loans,he also helped my son upgrade his scores at high school final year which made him graduate successfully and he gave my son free scholarship into the college,all I had to do was to settle the bills for the tools on the job,I used $500 to get a job of $50000 done all thanks to Robertson he saved me from all my troubles,sharing this is how I can show gratitude in return for all he has done for me and my family
ReplyDeleteContact premiumhackservices@gmail.com
Text/call +1 (984) 733‑3673
WhatsApp +1 (984) 733‑3673
Telegram +1 (984) 733‑3673
I lost my job few months back and there was no way to get income for my family, things was so tough and I couldn't get anything for my children, not until a met a recommendation on a page writing how Mr Bernie Wilfred helped a lady in getting a huge amount of profit every 6 working days on trading with his management on the cryptocurrency Market, to be honest I never believe it but I took the risk to take a loan of $1000. and I contacted him unbelievable and I was so happy I earn $12,500 in 6 working days, the most joy is that I can now take care of my family I don't know how to appreciate your good work Mr. Bernie Doran God will continue to bless you for being a life saver I have no way to appreciate you than to tell people about your good services. For a perfect investment and good strategies contact Mr Bernie Doran via WhatsApp :+1(424)285-0682 or Telegram : @Bernie_doran_fx or Email : Bernie.doranfx01@gmail.com
ReplyDelete