Rewterz Threat Alert – Threat Actors targeting organizations associated with COVID-19 Vaccine

December 7, 2020

Rewterz Threat Advisory – Russian Hackers Exploiting Recently Patched VMware Flaw

December 8, 2020

Rewterz Threat Alert – AgentTesla Information Stealer – IoCs

December 7, 2020

Severity

High

Analysis Summary

A new AgentTesla campaign is seen targeting victims with malspam. AgentTesla is known for stealing data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. Agent Tesla collects personal information from the victim’s machine, steals data from the victim’s clipboard, can log keystrokes, capture screenshots and access the victim’s webcam. It can kill running analysis processes and AVsoftware. The spyware also performs basic actions to check whether it is running on a virtual machine or in debug mode, in an attempt to hide its capabilities and actions from researchers. All the data it obtains is sent in encrypted form via SMTP protocol.

This current Agent Tesla campaign seems to be using email attachments with the common phishing themes of invoice, quotation request, new order, shipping advice, etc. These malicious attachments when downloaded and executed will infect the target system with Agent Tesla.

Impact

Credential Theft
Data Exfiltration
Information Disclosure
Detection Evasion

Indicators of Compromise

Filename

DHL INVOICE[.]gz[.]exe
DHL INVOICE[.]gz
New order 46728[.]xlsx
quotation request sheet for new business query scan document 000889—-000383644377[.]rar
SHIPPING ADVICE OF WK20201102801 ~ WK20201102809 # 2617 – JML[.]exe
New order[.] December[.]exe
New order[.] December[.]zip
Scan 979[.]exe

MD5

db08dad1b24a01a1c98dae412cab131a
dacd3b0fe3b08535f1b00dd0f6c6619e
53fd2952d08b9c6c4eb3b4b700de854a
c68b570e8997b0fb984675d25f82d36c
31a323274d22a5dc09d93f9b1a54a2ba
c94c9e870cccfbe22ea15544c18e2401
15244163f18d97881cf794ce294b64f5
5d0e93bf9487b14ea63877ffe2b4cc57
4a55d90ed057090c59c875aa44f810c4
0d2427258e21b27825cc0cb6dd9c633a
ee62fc99fa2d9df57edf83938c0c293a
d4758bec84fd18f575cad50dd5411779
8ae1ca4d3617938bcec96057c45185fe
828544dc2f388a68a2709e623c1745ee
52961c6f175b75453f3627753475c511
6c5b62cd894dc859b220379d2da14249
7876e90e757b2c30afa1326fec27b1e7
42289a23f33d793b5213979021fe021f
45a5d5b7219c37bbc2547546d3cf8fd4
7a807fb6e216caca90f65744fbb2b509
f6f74135015a1b33635bd6cc605c3c98
20561b0902ff85bbc65d6cfd0996215c
c629135f82b07d563afbf8d7d2399a4f

SHA-256

b39de16dd4f9cca5342dcd36875ceb246874f486698e34fea88e095d8596b368
c21ef9a213c71c43dd79f86707deffd34ce403f3e6bf5d9786cd97f86a2da32c
22f447f5336db462a0342b3a78f21706c643dab9d7517b8d96c148833926262b
d455e26e8b2cecda7ae1f03d70acfb7c72341610571638300cc561623f6a4fa6
1e63e95fbffd47595bf5a51147690a3f07b53e3fb7d1ebb78fe77b7054b211af
91c714124fa647bc291e83e46e4882a73e7bf31034cd72d413abde1e1267b796
294d3baa6d4e6b9d6e55fd9c67072d0d27f3786a4abb6b27c32fa977778fd94e
0048ee1b26789738562588fa061c52edf97198887f583c536aeec5505adb356d
559afda490876db35346de0e9b48dc3c27dfed237079233d99fb456c6d628d2f
7ea4b49b8a2a85cc8a498d18111959644d247c61a1ff49e46fcb71e2f65987ca
2f37815267df31fe2fb1cbfd752e38937c14fc8003ab53d0456b465e70735fa0
8cd31ed325e997a76dff05ff7b72dc7d360bcd906e71e5096b8e90051a16d809
14e825ebed2c7886f5e5841724b4ae7f5c0b7bd2c46ea94dffee74381e1fc73f
733791b9f0a883fccd3d16935d700144bdfb9e5b8ca2ee4a095fa30ce9c301e5
dccf3751a429e82ac64003742b6613c0d298e8d25dfca3d5d2ce2ae22ff6d7f9
6e1a37cc8b4d9d0588132c3f315a4e1f7873ddae440c7be61381b12edf74e723
832c0dd17cdf0e06d2084cdb17df2281718e49f043972edfb2186678741fab8d
824d9e9082e27b16c7bff8e0c02321c69abde54bcbc160a17f68ad4eba21170f
30b2c25ee43913d10eb0cdf42d149e844d88b978e3d41b2808e4564860342860
723cff4baa39f7292958eb4291239eabb4e097e85de8a862b87f2d151d1ffede
75fc8e8a2efbc0d1eb546a8ced701acf6d81e8a579568edbd22c08b43207392e
4c122805ffa252199f267845085ea5304553a541c8814a4b907e8dfefc25eae1
74c76ce0424cda179cdd5946c06ef82d3da22dc9616bd4eb8df9c43b8d359c1f

SHA1

dced03cd0efdcad81f172647f7f7c601de04d40a
3bc9d705d8c799c3b9712a3ac3b581d28f4150ff
50be9f4ecf3117900af862dfca3701fdcb575657
74d9c1628e74101a2ebec3a1299846197c74eb6c
dce3f045ae0bb716b64886f90d5a8234faddca2d
a6527ef4bee59b78e512040954ff7f6ce09a41cd
50787a5f2243331d23d2655ddb5d63e60a97bdb0
6a00117caf69d90b25e5f4bf827b26f7163c1ef9
9c6f5d5da5becb077c9539f2e8fb1fb0b122cdcb
3d051c88642549112c16b99e689a7773498a7b7a
0c467db7f48f1fc19d8703c68462b80d510489eb
0473f678fe37d0488938afde2ae682cc3668e443
0470bd2115b161ca3cbd89fa2ab4f99a30bc5f9f
619d240228e6fdc95504b96a6376fefee630794e
4cc79bdba359916654fa1814bb80e79e856ab21a
29a56a37cc15c36b43869829fe127a227f44b717
bae3dc9196cb3a3faa3f79848ebd7c16f3282bca
387ba991a7fbc49d8b5371bb410abac55dd82b2d
986d606cd8edbabcfd36fef9bbf538364eb14732
4fa2eda9b67f0a240c4926ba0d2bf1b4a348a6da
b905ebb13036ebe55a7ea99d8912c43299853f69
4e6666673edca5a92f160782430d733ca001cd42
8dad1c341776f7409c521a9ea28a09c5da50117f

Remediation

Block the threat indicators at their respective controls.
Do not download email attachments coming from untrusted sources.
Do not download untrusted files from random sources on the internet.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us