2018-04-23 - DHL-THEMED MALSPAM PUSHES AGENT TESLA - A SOMEWHAT SLOPPY JOB
ASSOCIATED FILES:
- Zip archive of the email: 2018-04-23-DHL-themed-malspam-1359-UTC.eml.zip 19.4 kB (19,394 bytes)
- Zip archive of the infection traffic: 2018-04-23-DHL-themed-malspam-infection-traffic.pcap.zip 16.6 MB (16,642,734 bytes)
- Zip archive of the malware: 2018-04-23-DHL-themed-malspam-infection-artifacts-and-malware.zip 10.0 MB (9,978,966 bytes)
NOTES:
- As I write this, plumberspro.us is an open directory, so you can grab the malware from there directly, and you can see the WebPanel directories.
- From the post-infection traffic, I see alerts for Agent Tesla, Quasar RAT, and Loda Logger.
Shown above: Haha! plumberspro.us is open to the world. (I added Peter Griffin to the image. That's not part of the site.)
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following domains:
- plubmerspro.us
- grigori.ddns.net
- godstar.hopto.org
Shown above: Screenshot of the email.
EMAIL HEADERS:
Received: from thaibev.com ([111.90.138.79]) by [removed] for [removed];
Mon, 23 Apr 2018 14:00:14 +0000 (UTC)
From: DHL<info@thaibev.com>
To: [removed]
Subject: Your shippment Is Ready For Pick Up!!!
Date: 23 Apr 2018 21:59:50 +0800
Message-ID: <20180423215950.76829663E81D16CB@thaibev.com>
MIME-Version: 1.0
Shown above: Malicious Word document downloaded from link in the malspam.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.
NETWORK TRAFFIC FROM AN INFECTED LAB HOST:
- 199.188.200.49 port 80 - plubmerspro.us - GET /Shippment20Details.doc
- 199.188.200.49 port 80 - plubmerspro.us - GET /good.exe
- port 80 - checkip.dyndns.org - GET /
- 199.188.200.49 port 80 - plubmerspro.us - POST /Exterminators20Lander20Updated/images/WebPanel/api.php - Agent Tesla CnC traffic
- port 443 - ipapi.co - HTTPS traffic
- port 80 - in-api.com - GET /json
- 206.189.23.191 port 5555 - grigori.ddns.net - encoded/encrypted traffic, possible Quasar RAT
- 206.189.23.191 port 1300 - godstar.hopto.org - Loda Logger CnC traffic
FILE HASHES
MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:
- Location: hxxp://plubmerspro.us/good.exe
Location: C:\Users\[username]\AppData\Local\Temp\eCDiXBI.exe
SHA256 hash: cf8083a42b4c144f52c45ac4050d649ca1b07032776d82fb2defc2370a02e2dd
File size: 8,118,423 bytes
File description: Agent Tesla malware/installer
- Location: C:\Users\[username]\AppData\Local\Temp\HTNYEL.vbs
SHA256 hash: varies, based on host name of the infected Windows host
File size: Approx 850 bytes
File description: VBS file seen during the infection file name probably different for each infection
- Location: C:\Users\[username]\AppData\Local\Temp\LB9.exe
SHA256 hash: c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3
File size: 10,752 bytes
File description: Malware or component associated with Agent Tesla
- Location: C:\Users\[username]\AppData\Roaming\firfox\firfox.exe
SHA256 hash: dc5821211f411e01ed7932cc83db772c66bb1ed7cd1eadbe8edb60091e49462f
File size: 355,840 bytes
File description: Possible Quasar RAT component
- Location: C:\Users\[username]\AppData\Roaming\Windata\MDZYTH.exe
SHA256 hash: 9307773457add5c033fc2505c947b091f213c833b9c41d302d083452fb08a0f2
File size: 647,078 bytes
File description: Possible Quasar RAT component
- Location: C:\Users\[username]\AppData\Roaming\M & T Bank Corporation\M & T Bank Corporation.exe
SHA256 hash: 6adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f
File size: 69,632 bytes
File description: Not malicious, this is a legitimate file named MSBuild.exe being used maliciously for this infection
- C:\Users\[username]\AppData\Roaming\ScreenShot\screen.jpeg
C:\Users\[username]\AppData\Roaming\Logs\04-23-2018
- Location: hxxp://plubmerspro.us/Shippment20Details.doc
SHA256 hash: 6e490f1d39ae743190ac73d06f0bdb3b4b271bdd927947f14311ad84088a47d2
File size: 123,392 bytes
File description: Word document with macro to install Agent Telsa (and whatever else happened, here)
- Location: hxxp://plubmerspro.us/bind.exe
SHA256 hash: 859a3f51822dcc7bed8308dbda275e49330e7ec036f1d4905ba1fc75fe0d1318
File size: 1,171,456 bytes
File description: Another Agent Tesla malware/installer found on the malware/CnC server
Shown above: Malware found persistent on an infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the email: 2018-04-23-DHL-themed-malspam-1359-UTC.eml.zip 19.4 kB (19,394 bytes)
- Zip archive of the infection traffic: 2018-04-23-DHL-themed-malspam-infection-traffic.pcap.zip 16.6 MB (16,642,734 bytes)
- Zip archive of the malware: 2018-04-23-DHL-themed-malspam-infection-artifacts-and-malware.zip 10.0 MB (9,978,966 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.