Threat Research

Malware-Traffic-Analysis.net – 2023-11-22 – AgentTesla infection with FTP data exfil

Securonix

The article analyzes AgentTesla infection stemming from a Spanish-language email with an attached RAR archive, leading to a VBS dropper and a base64-based delivery chain that culminates in FTP data exfiltration. It outlines the infection chain, artifacts, and observed network indicators associated with the campaign. #AgentTesla #FTP #PasteEE #UploadDeImagens #experticsmail #Siscop

Keypoints

  • The infection begins with a Spanish-language email from a Mexico-based mail server, containing an attached RAR file.
  • The attached RAR extracts a VBS script which is used to traffic and prepare an AgentTesla EXE for data exfiltration.
  • A PNG image is retrieved that contains embedded base64 text which translates to a DLL, showing a multi-stage payload delivery.
    • Traffic indicators show FTP as the data exfiltration channel and multiple HTTP/HTTPS resources used for staging.
    • Hashes, file names, and URLs are provided as artifacts to identify and track the sample.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The infection chain starts with “This was from a Spanish language email sent from a mail server based in Mexico.”
  • [T1059.005] Command and Scripting Interpreter – The attachment yields a VBS script that facilitates payload delivery (“extracted VBS –> traffic to create AgentTesla EXE”).
  • [T1132] Data Encoding – The AgentTesla EXE is retrieved as a “reversed base64 string that was converted to the EXE” and the PNG contains “embedded base64 text.”
  • [T1071.001] Web Protocols – Observed web traffic and GET requests such as “GET /droidpedofilesbase64.txt” and related HTTP(S) endpoints.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs over FTP with an “FTP control channel” and “FTP data channel (ephemeral TCP port)”.

Indicators of Compromise

  • [IP] Network endpoints – 188.114.97.3, 45.138.16.176
  • [Domain/URL] Domains – paste.ee (hxxps://paste.ee/d/gz7rC), uploaddeimagens.com.br (hxxps://uploaddeimagens.com.br/images/004/666/676/original/vbs.jpg?1700182879)
  • [File hash] Hashes – f35a8d7cfbf55f800141f5df7f5cf1258b5ffa79899834af0587ffed4d184226, 41a4710e26564ad4a7d4d96ce86c17e48e31f20c3daf8ba2dcccc70981ca646a, and 2 more hashes
  • [File name] – orden de compra T7416.gz, orden de compra T7416.vbs
  • [URL] – hxxps://paste.ee/d/gz7rC, hxxps://uploaddeimagens.com.br/images/004/666/676/original/vbs.jpg?1700182879

Read more: https://www.malware-traffic-analysis.net/2023/11/22/index.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint