2023-11-22 (WEDNESDAY) - AGENTTESLA INFECTION WITH FTP DATA EXFIL

NOTICE:

ASSOCIATED FILES:

 

2023-11-22 (WEDNESDAY): AGENTTESLA INFECTION WITH FTP DATA EXFIL

NOTES:

- This was from a Spanish language email sent from a mail server based in Mexico.
- This infection retrieved a PNG image with embedded base64 text that translates to a DLL.
- The AgentTesla EXE was retreived as a reversed base64 string that was converted to the EXE.
- Always fun to see these AgentTesla samples using FTP for data exfiltration.

INFECTION CHAIN:

- email --> attached RAR --> extracted VBS --> traffic to create AgentTesla EXE --> data exfiltration

SELECT EMAIL HEADERS:

- Received: from experticsmail.expertics[.]com.mx (expertics.com.mx [187.217.245[.]25])
- Received: by experticsmail.expertics[.]com.mx (Postfix, from userid 48)
- Date: Mon, 20 Nov 2023 19:28:32 +0100
- From: Alejandro Medina 
- Subject: Orden T7405
- X-PHP-Originating-Script: 0:rcube.php
- Message-ID: <4e8bbd9672f599f755ae3ca2fb980dba@fiba[.]mx>
- Attachment name: orden de compra T7416.gz

ASSOCIATED MALWARE/ARTIFACTS:

- SHA256 hash: f35a8d7cfbf55f800141f5df7f5cf1258b5ffa79899834af0587ffed4d184226
- File size: 5,461 bytes
- File name: orden de compra T7416.gz
- File type: RAR archive data, v5
- File description: Attachment from the above email

- SHA256 hash: 41a4710e26564ad4a7d4d96ce86c17e48e31f20c3daf8ba2dcccc70981ca646a
- File size: 185,656 bytes
- File name: orden de compra T7416.vbs
- File type: Unicode text, UTF-16, little-endian text, with very long lines (833), with CRLF, CR line terminators
- File description: VBS file extracted from the above archive

- SHA256 hash: 5ac8fbddb256ca27716c3de8691c06c5f0692e2001e2fe5f8436bf4b5c760e42
- File size: 112,202 bytes
- File location: hxxps[:]//paste[.]ee/d/gz7rC
- File type: ASCII text, with very long lines (40162), with CRLF line terminators
- File description: Script retrieved by the above VBS file

- SHA256 hash: 86fbbc07ac50e1b1cc4c0fd6e39f4c3882b2e18d1eadb39583a9822f9f045648
- File size: 8,053,264 bytes
- File location: hxxps[:]//uploaddeimagens[.]com.br/images/004/666/676/original/vbs.jpg?1700182879
- File type: PNG image data, 3840 x 2160, 8-bit/color RGB, non-interlaced
- File description: PNG image retreived during this infection, contains embedded base64 text

- SHA256 hash: 1d8a6e903949d0c0f0323eca14a732a4d66995b79ed5f33b3140382c6aace389
- File size: 1,267,712 bytes
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: DLL converted from base64 text in the above PNG image
- Run method: unknown

- SHA256 hash: b396b8bdbcca4a62ff445c459e54f01dd87022f1d79de3471c98a95faa2b6168
- File size: 324,268 bytes
- File location: hxxp[:]//45.138.16[.]176/droidpedofilesbase64.txt
- File type: ASCII text, with very long lines (65536), with no line terminators
- File description: reversed base64 text retireved during this infection

- SHA256 hash: e95a532e3601c471ea65b26e39136af7e00626d1efd9c087c978e769b8a4f020
- File size: 243,200 bytes
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: converted from reversed base64 text, an EXE for AgentTesla

INFECTION TRAFFIC:

- 188.114.97[.]3 port 443 - hxxps[:]//paste[.]ee/d/gz7rC
- 188.114.97[.]3 port 443 - hxxps[:]//uploaddeimagens.com[.]br/images/004/666/676/original/vbs.jpg?1700182879
- 45.138.16[.]176 port 80 - 45.138.16[.]176 - GET /droidpedofilesbase64.txt

- 51.222.104[.]17 port 21 - ftp.siscop[.]com.co - FTP control channel
- 51.222.104[.]17 port 62742 - ftp.siscop[.]com.co - FTP data channel (ephemeral TCP port)

 

Click here to return to the main page.