More AgentTesla keylogger as fileless malware.

We are seeing a continuation of the new style AgentTesla malspam campaign again this morning. This is still using a multistage downloader eventually resulting in the AgentTesla keylogger / infostealer being run on the victim’s computer as a fileless malware. The initial stage today is a .exe file though not a word doc / rtf f=doc in the manner we saw on Friday 21 June 2019.

These are abusing the semi-legitimate pastebin alternative to host the malware in base64 encoded plain txt https://paste.ee

Today’s version starts with a .exe file inside the zip attachment This is a downloader that calls out to https://paste.ee/r/gTKc6  which is a base64 encoded  dll file which appears to be part of the downloader for the  AgentTesla binary which is also downloaded in Base64 encoded format from https://paste.ee/r/9VYgK and either the original  exe file or more likely, the downloader converts it to a working .exe file. But none of the base64 encoded files or the resulting AgentTesla binary or the downloader dll ever appears on the victim’s computer in any format that can be obtained.

These are abusing the semi-legitimate pastebin alternative to host the malware in base64 encoded plain txt

You can now submit suspicious sites, emails and files via our Submissions system

tdesignsweater.com has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.  The actual senders are are very well known criminal gang that use AS209299 VITOX TELECOM in Iceland on 37.49.230.* today they are using 37.49.230.186.  This criminal gang use multiple different malware families in their campaigns. I frequently see AgentTesla, Hawkeye, Nanocore & Remcos rat coming from them.

From: This email address is being protected from spambots. You need JavaScript enabled to view it.

Date: Mon 24/06/2019 06:06

Subject:  RE: Request for DOCS aprroval, PO: 500060872 ( SPUCOPINNY)

Attachment:  BL & Invoice copy.zip

Body content:

Dear Sir,REF PO: 500060872

Pls find the attached draft BL & Invoice copy for your  confirmation.

Pls check and advice.

Thanks,

Best regards,

S.M. Ataur Rahman

Commercial Manager

This email address is being protected from spambots. You need JavaScript enabled to view it.tion: http://114.134.89.30/t-design/signature/logo-r.png

Road 06, House 375

D.O.H.S Baridhara, Dhaka, Bangladesh.

www.tdesignsweater.com

Description: http://114.134.89.30/t-design/signature/facebook.png    Description: http://114.134.89.30/t-design/signature/twitter.png    Description: http://114.134.89.30/t-design/signature/linkedin.png     Description: http://114.134.89.30/t-design/signature/pinterest.png

Screenshot:

Fake order / invoice email

Fake order / invoice email

bob.exe   Current Virus total detections: Anyrun |

This malicious file  calls out to https:/paste.ee/r/gTKc6 |virustotal | this is converted to a dll VirusTotal |

Then this downloads another  base64 encoded file from https://paste.ee/r/9VYgK| VirusTotal | which is converted to a working .exe | VirusTotal|   Unusually here, the base64 encoded files  & the resulting .exe are different sizes, so something funky is going on here as well.

The AgentTesla binary  never actually appears on the victims computer and must be running in memory somewhere. 

All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t.  Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found .  The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Email Headers:

IP Hostname City Region Country Organisation
37.49.230.186  Reykjav�k Hofuoborgarsvaoio IS AS209299 VITOX TELECOM
Received: from [37.49.230.186] (port=52456 helo=gmail.com)
	by my email server with esmtp (Exim 4.92)
	(envelope-from <This email address is being protected from spambots. You need JavaScript enabled to view it.>)
	id 1hfHAd-0004Lk-EG
	for This email address is being protected from spambots. You need JavaScript enabled to view it.; Mon, 24 Jun 2019 06:05:35 +0100
From: This email address is being protected from spambots. You need JavaScript enabled to view it.
To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: RE: Request for DOCS aprroval, PO: 500060872 ( SPUCOPINNY)
Date: 23 Jun 2019 22:05:34 -0700
Message-ID: <This email address is being protected from spambots. You need JavaScript enabled to view it.>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0012_8218B1D4.884F2195"

IOC:

Main object- “bob.exe”sha256 a1eb207ed65f4fe4a898f6a9acd91b4a08c9cd78137f08a737cef81b9e38e759sha1 a6879acffcd887fe7a5a6cdec66bddef7ad5edb1md5 e267b0b4504a801b536e047f34b980a0Dropped executable filesha256 C:\Users\admin\AppData\Roaming\NewApp\NewApp.exe 32b60d7bba22cc1682f4ba651d86c9fb357bdc82e9a284ab9668e5446bd24bb3DNS requestsdomain paste.eedomain smtp.yandex.comdomain checkip.amazonaws.comConnectionsip 104.18.48.20ip 23.111.11.204ip 52.202.139.131HTTP/HTTPS requestsurl https://paste.ee/r/gTKc6url https://paste.ee/r/9VYgKurl http://checkip.amazonaws.com/

MD5 f42e14179b0def73b4dd9c6e1cd8b795SHA-1 da07f1a1ceb371b00f738299151d6aa34a9c1be6SHA-256 58166239b43bbd41819d8a11aad4b91187824bb1ec30b475a45cb6e3590289c0MD5 a25da635c3cda30fbbd4afd360e46962SHA-1 28e37595473d3eae97c513d1ca9df78772cee070SHA-256 f02d36b938a7ac876ac867d955a0a9801552c03c9ec5310346778b98915be739MD5 b22c10aaaac3082d3debdc4b224c5e2aSHA-1 ffac48a64793921708cf1ca3448771a49aaa37e1SHA-256 ee5ecb54a195023309c1ce1842cc1e4a2a5744dc5231c4201a4de638ab47fbf2MD5 8d6d7677fa70680444ec144b338a1227SHA-1 75eeb8ce3f13082dac763b1b53b0f1d74eed93d6SHA-256 5cc7f7faa01fb0156b8afe2504f109d82faf1bf4257dbfe080751c42032260ad

Read more https://myonlinesecurity.co.uk/more-agenttesla-keylogger-as-fileless-malware/

Add comment

By entering a comment, if it is of a commercial nature, you will be auto enrolled in our customer care course as detailed in our rate card.
By entering a comment you legally agree to the course and to pay. Thanks


Security code
Refresh