Malware-Traffic-Analysis.net - 2023-07-07: AgentTesla data dump

2023-07-07: AGENTTESLA DATA DUMP

NOTICE:
Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
NOTES:
Malspam sent to my honeypot email accounts this week all had AgentTesla-style malware.
ASSOCIATED FILES:
2023-07-07-AgentTesla-data-dump.zip 19.9 MB (19,887,745 bytes)
TUESDAY 2023-07-04 THRU FRIDAY 2023-07-07: AGENTTESLA TO MY HONEYPOT EMAIL ACCOUNTS

NOTES:

- AgentTesla stopped back in 2019, and what's currently identified as AgentTelsa is likely a variant, like OriginLogger 
- More info at: https://unit42.paloaltonetworks.com/originlogger/

===============
EXAMPLE 1 OF 3:
===============

8 EMAILS:

- Received: from trans-china[.]com (unknown [141.98.6[.]124]); 2023-07-04 02:15 UTC
- Received: from tlsc[.]ru (unknown [141.98.6[.]124]); 2023-07-04 13:49 UTC
- Received: from trans-china[.]com (unknown [141.98.6[.]124]); 2023-07-04 15:00: UTC
- Received: from coretek[.]com[.]hk (unknown [141.98.6[.]124]); 2023-07-05 03:01 UTC
- Received: from highgategroup[.]net[.]au (unknown [141.98.6[.]124]); 2023-07-05 03:05 UTC
- Received: from jabil[.]com (unknown [141.98.6[.]124]); 2023-07-06 04:03 UTC
- Received: from sz-ysxd[.]com (unknown [141.98.6[.]124]); 2023-07-06 04:11 UTC
- Received: from coretek[.]com[.]hk (unknown [141.98.6[.]124]); 2023-07-06 08:50 UTC

- Subject: UPDATED SOA
- Subject: Payment Swift copy 2023/07/03
- Subject: UPDATED SOA
- Subject: 7/9 Shipping Documents
- Subject: payment confirmation
- Subject: Request for price quotation
- Subject: Fwd: Payment Release
- Subject: CoreSystem's new order CM-PO23020351 // ET528AE-F 2.6Kpcs kit (O-film)

7 DIFFRENT ATTACHMENTS:

- c7eb8388bedf2d0b0b32947a2058f520b13bb843c945397e547ec9d46fd64ba9 - 516,090 bytes - MT103 4 7 2023.zip
- 0b381ce5719c9a3a547b1a24bf905e2e817e11c0c29b837a8cfeebb4b9d67843 - 583,125 bytes - new order CM-PO23020351.rar
- 1624fae65c0e2e253ca10b5edbd84afe641128e2aae775a61da1ed5735a4e5d8 - 660,080 bytes - Request for quotation.zip
- 5af7dcff567c1bd9f70aa738c0d4daeb1a711231f40afda6ffd3ab4b2d3aedb7 - 516,098 bytes - shipping documents.zip
- 4bfd131fd9e46f7b57d7c6bebf4190e29d20cd2f3d9f7c749438aee752e07bdb - 496,216 bytes - SOA.zip
- 6175e60b47cbcf7aa499f486612b30d9375f71be637bc3e41a1498c096110fb0 - 496,244 bytes - Transfer 2023 7 4.zip
- b5a87cc49c9339ff3231ebbe38e04d54bd18b314cec7fae9b05e04453889171a - 583,135 bytes - UPDATED STATEMENT OF ACCOUNT.rar

3 DIFFERENT FILE HASHES FOR EXTRACTED EXE FILES:

- 210b15cbeafb375cf040d23151391ab74c23d629bd4a065cc3574e9963f38474 - 628,736 bytes - MT103 4 7 2023.exe
- 210b15cbeafb375cf040d23151391ab74c23d629bd4a065cc3574e9963f38474 - 628,736 bytes - shipping documents.exe

- 1866f5e347fd56a35cb9a28e4d59ff6b915d230a70a55e183313535e76fcd84e - 592,896 bytes - SOA.exe
- 1866f5e347fd56a35cb9a28e4d59ff6b915d230a70a55e183313535e76fcd84e - 592,896 bytes - Transfer 2023 7 4.exe

- 90d98c50d2011d8094cb6a6fd66a272e6234a0efa2a2c22f7cd8a5801753797e - 776,704 bytes - new order CM-PO23020351.exe
- 90d98c50d2011d8094cb6a6fd66a272e6234a0efa2a2c22f7cd8a5801753797e - 776,704 bytes - Request for quotation.exe
- 90d98c50d2011d8094cb6a6fd66a272e6234a0efa2a2c22f7cd8a5801753797e - 776,704 bytes - UPDATED STATEMENT OF ACCOUNT.exe

POST-INFECTION DATA EXFILTRATION:

- 162.241.169[.]155 port 587 - mail.adityagroup[.]co - encrypted SMTP traffic

===============
EXAMPLE 2 OF 3:
===============

2 EMAILS:

- Received: from hlsholding[.]com[.]cn (unknown [185.225.74[.]18]); 2023-07-06 08:19 UTC

- Received: from 202.254.238[.]16 (EHLO sv15.xbiz[.]ne[.]jp); 2023-07-06 11:22:59 UTC
- Received: from [107.161.81[.]151] (unknown [107.161.81[.]151]) by sv15.xbiz[.]ne[.]jp; 2023-07-06 11:22:56 UTC

- Subject: Re: Confirm Bank Details
- Subject: QUOTATION REQUEST

2 ATTACHMENTS:

- f4f068ce78be6381eaaa55a7074d3770b6f175fa690527e9957a40dcddced8ff - 660,960 bytes - BANK DETAILS.pdf.zip
- d919819d7f4a8567f25b94fd9e54c1ea8fee4a7527816eecde3c6604c4f294f0 - 585,020 bytes - QUOTATION.pdf.rar

1 FILE HASH FOR EXTRACTED EXE FILES:

- a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886 - 777,728 bytes - PO.pdf.exe
- a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886 - 777,728 bytes - QUOTATION.pdf.exe

POST-INFECTION DATA EXFILTRATION:

- 173.254.28[.]237 port 587 - mail.expertsconsultgh[.]co - unencrypted SMTP traffic
- Uses email account for: oppong@expertsconsultgh[.]co
- Sends exfiltrated ata to: info@ledcenter[.]by

===============
EXAMPLE 3 OF 3:
===============

2 EMAILS:

- Received: from ehansun[.]co[.]kr (unknown [185.222.58[.]35]); 2023-07-06 19:23 UTC
- Received: from ehansun[.]co[.]kr (unknown [185.222.58[.]35]); 2023-07-07 16:07 UTC

- Subject: info@[recipient's email domain] sent you files via inbox
- Subject: Posted Inv/BL

SAME ATTACHMENT FOR EACH EMAIL:

- a2218cee999c02a4b86acc88d0e9f9bae0696e9cba3dc47430bba0753b45c74c - 1,507,328 bytes - Balance Payment.img

EXTRACTED EXE:

- b45c5c5e4308f24bf38a33614961d3efd92ee512980158d6f8daf3f49834bf3f - 923,200 bytes - Balance Payment.exe

POST-INFECTION DATA EXFILTRATION:

- 192.254.225[.]166 port 587 - mail.bonnyriggdentalsurgery[.]com[.]au - encrypted SMTP traffic
Click here to return to the main page.