2023-07-07: AGENTTESLA DATA DUMP
NOTICE:
- Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
- Malspam sent to my honeypot email accounts this week all had AgentTesla-style malware.
ASSOCIATED FILES:
- 2023-07-07-AgentTesla-data-dump.zip 19.9 MB (19,887,745 bytes)
TUESDAY 2023-07-04 THRU FRIDAY 2023-07-07: AGENTTESLA TO MY HONEYPOT EMAIL ACCOUNTS NOTES: - AgentTesla stopped back in 2019, and what's currently identified as AgentTelsa is likely a variant, like OriginLogger - More info at: https://unit42.paloaltonetworks.com/originlogger/ =============== EXAMPLE 1 OF 3: =============== 8 EMAILS: - Received: from trans-china[.]com (unknown [141.98.6[.]124]); 2023-07-04 02:15 UTC - Received: from tlsc[.]ru (unknown [141.98.6[.]124]); 2023-07-04 13:49 UTC - Received: from trans-china[.]com (unknown [141.98.6[.]124]); 2023-07-04 15:00: UTC - Received: from coretek[.]com[.]hk (unknown [141.98.6[.]124]); 2023-07-05 03:01 UTC - Received: from highgategroup[.]net[.]au (unknown [141.98.6[.]124]); 2023-07-05 03:05 UTC - Received: from jabil[.]com (unknown [141.98.6[.]124]); 2023-07-06 04:03 UTC - Received: from sz-ysxd[.]com (unknown [141.98.6[.]124]); 2023-07-06 04:11 UTC - Received: from coretek[.]com[.]hk (unknown [141.98.6[.]124]); 2023-07-06 08:50 UTC - Subject: UPDATED SOA - Subject: Payment Swift copy 2023/07/03 - Subject: UPDATED SOA - Subject: 7/9 Shipping Documents - Subject: payment confirmation - Subject: Request for price quotation - Subject: Fwd: Payment Release - Subject: CoreSystem's new order CM-PO23020351 // ET528AE-F 2.6Kpcs kit (O-film) 7 DIFFRENT ATTACHMENTS: - c7eb8388bedf2d0b0b32947a2058f520b13bb843c945397e547ec9d46fd64ba9 - 516,090 bytes - MT103 4 7 2023.zip - 0b381ce5719c9a3a547b1a24bf905e2e817e11c0c29b837a8cfeebb4b9d67843 - 583,125 bytes - new order CM-PO23020351.rar - 1624fae65c0e2e253ca10b5edbd84afe641128e2aae775a61da1ed5735a4e5d8 - 660,080 bytes - Request for quotation.zip - 5af7dcff567c1bd9f70aa738c0d4daeb1a711231f40afda6ffd3ab4b2d3aedb7 - 516,098 bytes - shipping documents.zip - 4bfd131fd9e46f7b57d7c6bebf4190e29d20cd2f3d9f7c749438aee752e07bdb - 496,216 bytes - SOA.zip - 6175e60b47cbcf7aa499f486612b30d9375f71be637bc3e41a1498c096110fb0 - 496,244 bytes - Transfer 2023 7 4.zip - b5a87cc49c9339ff3231ebbe38e04d54bd18b314cec7fae9b05e04453889171a - 583,135 bytes - UPDATED STATEMENT OF ACCOUNT.rar 3 DIFFERENT FILE HASHES FOR EXTRACTED EXE FILES: - 210b15cbeafb375cf040d23151391ab74c23d629bd4a065cc3574e9963f38474 - 628,736 bytes - MT103 4 7 2023.exe - 210b15cbeafb375cf040d23151391ab74c23d629bd4a065cc3574e9963f38474 - 628,736 bytes - shipping documents.exe - 1866f5e347fd56a35cb9a28e4d59ff6b915d230a70a55e183313535e76fcd84e - 592,896 bytes - SOA.exe - 1866f5e347fd56a35cb9a28e4d59ff6b915d230a70a55e183313535e76fcd84e - 592,896 bytes - Transfer 2023 7 4.exe - 90d98c50d2011d8094cb6a6fd66a272e6234a0efa2a2c22f7cd8a5801753797e - 776,704 bytes - new order CM-PO23020351.exe - 90d98c50d2011d8094cb6a6fd66a272e6234a0efa2a2c22f7cd8a5801753797e - 776,704 bytes - Request for quotation.exe - 90d98c50d2011d8094cb6a6fd66a272e6234a0efa2a2c22f7cd8a5801753797e - 776,704 bytes - UPDATED STATEMENT OF ACCOUNT.exe POST-INFECTION DATA EXFILTRATION: - 162.241.169[.]155 port 587 - mail.adityagroup[.]co - encrypted SMTP traffic =============== EXAMPLE 2 OF 3: =============== 2 EMAILS: - Received: from hlsholding[.]com[.]cn (unknown [185.225.74[.]18]); 2023-07-06 08:19 UTC - Received: from 202.254.238[.]16 (EHLO sv15.xbiz[.]ne[.]jp); 2023-07-06 11:22:59 UTC - Received: from [107.161.81[.]151] (unknown [107.161.81[.]151]) by sv15.xbiz[.]ne[.]jp; 2023-07-06 11:22:56 UTC - Subject: Re: Confirm Bank Details - Subject: QUOTATION REQUEST 2 ATTACHMENTS: - f4f068ce78be6381eaaa55a7074d3770b6f175fa690527e9957a40dcddced8ff - 660,960 bytes - BANK DETAILS.pdf.zip - d919819d7f4a8567f25b94fd9e54c1ea8fee4a7527816eecde3c6604c4f294f0 - 585,020 bytes - QUOTATION.pdf.rar 1 FILE HASH FOR EXTRACTED EXE FILES: - a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886 - 777,728 bytes - PO.pdf.exe - a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886 - 777,728 bytes - QUOTATION.pdf.exe POST-INFECTION DATA EXFILTRATION: - 173.254.28[.]237 port 587 - mail.expertsconsultgh[.]co - unencrypted SMTP traffic - Uses email account for: oppong@expertsconsultgh[.]co - Sends exfiltrated ata to: info@ledcenter[.]by =============== EXAMPLE 3 OF 3: =============== 2 EMAILS: - Received: from ehansun[.]co[.]kr (unknown [185.222.58[.]35]); 2023-07-06 19:23 UTC - Received: from ehansun[.]co[.]kr (unknown [185.222.58[.]35]); 2023-07-07 16:07 UTC - Subject: info@[recipient's email domain] sent you files via inbox - Subject: Posted Inv/BL SAME ATTACHMENT FOR EACH EMAIL: - a2218cee999c02a4b86acc88d0e9f9bae0696e9cba3dc47430bba0753b45c74c - 1,507,328 bytes - Balance Payment.img EXTRACTED EXE: - b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f - 923,200 bytes - Balance Payment.exe POST-INFECTION DATA EXFILTRATION: - 192.254.225[.]166 port 587 - mail.bonnyriggdentalsurgery[.]com[.]au - encrypted SMTP traffic
Click here to return to the main page.