2018-04-23 - DHL-THEMED MALSPAM PUSHES AGENT TESLA - A SOMEWHAT SLOPPY JOB

ASSOCIATED FILES:

• Zip archive of the email:  2018-04-23-DHL-themed-malspam-1359-UTC.eml.zip   19.4 kB (19,394 bytes)
• Zip archive of the infection traffic:  2018-04-23-DHL-themed-malspam-infection-traffic.pcap.zip   16.6 MB (16,642,734 bytes)
• Zip archive of the malware:  2018-04-23-DHL-themed-malspam-infection-artifacts-and-malware.zip   10.0 MB (9,978,966 bytes)

NOTES:

• As I write this, plumberspro.us is an open directory, so you can grab the malware from there directly, and you can see the WebPanel directories.
• From the post-infection traffic, I see alerts for Agent Tesla, Quasar RAT, and Loda Logger.

Shown above:  Haha!  plumberspro.us is open to the world.  (I added Peter Griffin to the image.  That's not part of the site.)

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

• plubmerspro.us
• grigori.ddns.net
• godstar.hopto.org

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

Received: from thaibev.com ([111.90.138.79]) by [removed] for [removed];
     Mon, 23 Apr 2018 14:00:14 +0000 (UTC)
From: DHL<info@thaibev.com>
To: [removed]
Subject: Your shippment Is Ready For Pick Up!!!
Date: 23 Apr 2018 21:59:50 +0800
Message-ID: <20180423215950.76829663E81D16CB@thaibev.com>
MIME-Version: 1.0

 

Shown above:  Malicious Word document downloaded from link in the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 199.188.200.49 port 80 - plubmerspro.us - GET /Shippment20Details.doc
• 199.188.200.49 port 80 - plubmerspro.us - GET /good.exe
• port 80 - checkip.dyndns.org - GET /
• 199.188.200.49 port 80 - plubmerspro.us - POST /Exterminators20Lander20Updated/images/WebPanel/api.php - Agent Tesla CnC traffic
• port 443 - ipapi.co - HTTPS traffic
• port 80 - in-api.com - GET /json
• 206.189.23.191 port 5555 - grigori.ddns.net - encoded/encrypted traffic, possible Quasar RAT
• 206.189.23.191 port 1300 - godstar.hopto.org - Loda Logger CnC traffic

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

• Location: hxxp://plubmerspro.us/good.exe
  Location: C:\Users\[username]\AppData\Local\Temp\eCDiXBI.exe
  SHA256 hash: cf8083a42b4c144f52c45ac4050d649ca1b07032776d82fb2defc2370a02e2dd
  File size: 8,118,423 bytes
  File description: Agent Tesla malware/installer

• Location: C:\Users\[username]\AppData\Local\Temp\HTNYEL.vbs
  SHA256 hash: varies, based on host name of the infected Windows host
  File size: Approx 850 bytes
  File description: VBS file seen during the infection file name probably different for each infection

• Location: C:\Users\[username]\AppData\Local\Temp\LB9.exe
  SHA256 hash: c2cae82e01d954e3a50feaebcd3f75de7416a851ea855d6f0e8aaac84a507ca3
  File size: 10,752 bytes
  File description: Malware or component associated with Agent Tesla

• Location: C:\Users\[username]\AppData\Roaming\firfox\firfox.exe
  SHA256 hash: dc5821211f411e01ed7932cc83db772c66bb1ed7cd1eadbe8edb60091e49462f
  File size: 355,840 bytes
  File description: Possible Quasar RAT component

• Location: C:\Users\[username]\AppData\Roaming\Windata\MDZYTH.exe
  SHA256 hash: 9307773457add5c033fc2505c947b091f213c833b9c41d302d083452fb08a0f2
  File size: 647,078 bytes
  File description: Possible Quasar RAT component

• Location: C:\Users\[username]\AppData\Roaming\M & T Bank Corporation\M & T Bank Corporation.exe
  SHA256 hash: 6adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f
  File size: 69,632 bytes
  File description: Not malicious, this is a legitimate file named MSBuild.exe being used maliciously for this infection

• C:\Users\[username]\AppData\Roaming\ScreenShot\screen.jpeg
  C:\Users\[username]\AppData\Roaming\Logs\04-23-2018

• Location: hxxp://plubmerspro.us/Shippment20Details.doc
  SHA256 hash: 6e490f1d39ae743190ac73d06f0bdb3b4b271bdd927947f14311ad84088a47d2
  File size: 123,392 bytes
  File description: Word document with macro to install Agent Telsa (and whatever else happened, here)

• Location: hxxp://plubmerspro.us/bind.exe
  SHA256 hash: 859a3f51822dcc7bed8308dbda275e49330e7ec036f1d4905ba1fc75fe0d1318
  File size: 1,171,456 bytes
  File description: Another Agent Tesla malware/installer found on the malware/CnC server

 

Shown above:  Malware found persistent on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the email:  2018-04-23-DHL-themed-malspam-1359-UTC.eml.zip   19.4 kB (19,394 bytes)
• Zip archive of the infection traffic:  2018-04-23-DHL-themed-malspam-infection-traffic.pcap.zip   16.6 MB (16,642,734 bytes)
• Zip archive of the malware:  2018-04-23-DHL-themed-malspam-infection-artifacts-and-malware.zip   10.0 MB (9,978,966 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.