March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Malware Analysis – Ursnif Trojan
September 14, 2020
Rewterz Threat Alert – Maze Ransomware – IoCs
September 15, 2020
Malware Analysis – Ursnif Trojan
September 14, 2020
Rewterz Threat Alert – Maze Ransomware – IoCs
September 15, 2020
Severity
High
Analysis Summary
Agent Tesla information stealer has been making appearances in multiple cyber crime activities. It has been one of the most consistent tools used in infections for a while. It is usually distributed via malspam related to COVID19, WHO Drug advice, Face mask lures, etc. The body of the email usually includes the company logo and details for a legitimate organization. Apart from spoofing different brands to avoid detection, Agent Tesla operators also rotate the sender IP address and other indicators of compromise to avoid detection of older indicators. Sometimes, the threat actors use a GZ archive as an email attachment, masquerading as a PDF that supposedly contains details on whatever is offered in the email. Contained within the archive is an executable file that, upon execution, installs the Agent Tesla RAT. After initial check in with the C2 server, it waits to receive commands to be executed on the victim host. One of the main functionalities of Agent Tesla is the ability to steal passwords from various applications. Gathered credentials and other sensitive information are then exfiltrated to the C2 server via SMTP.
Impact
- Credential Theft
- Exposure of Sensitive Information
- Data Exfiltration
Indicators of Compromise
MD5
- 5f4bce6bcb3eebd015a3e887c33fc9a7
- 4cd542b9aea941eec83990383d8ff80e
- 3cffaeb84289d714e72044eab6749a1b
- cccccb2f86866dde1a130f1a6d439f50
- 2a226a5ab714be30fdd73d3aa3980ffa
- 96d9feae2a4cdd00a341789baaeac20d
SHA-256
- ec219b1cdac8a87f17dd195ab2d5a9012cc78d3a2fbdabdf91dd410ab518aace
- eb181f4736d66dfdddb68c3b65ce2ddafac57a892fc36d5f4d0f5861f8c8640b
- 1771ee60126c71704a8b3aa6378550c1e28ad1fd357b1876030f1390483e5f26
- e171c3773459c818ab6e18f80336bef7ae90ee62ada9ff4fc9530b804679e738
- 3d06c30853f8bb370a2ecd7865f77f0b22932b6c7855c79d10cfb46eb7866766
- 6486949a9633fdb6422b9b8d34fc3775e85ac8f60bd6f69116b13b2747ed635b
SHA1
- 68d8753a3c111e820d6b0d2f85cc264b776ccc0b
- 8710a426a0fa32588de48dadd14bb060b7131af9
- d4e18f43eed01f201e93595f2fec33e2c38dce52
- bc55d1805d5b7e4fbc7b0cc1e7d3c217402e9575
- 009275a022922bc5337c68b9a6f4bbb500015a26
- 51fd0a440e04ef142a8be0ec847e0a9832220776
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments from untrusted emails.
- Always download software from authentic and official sources.