Today in our section on 'uncoventional #Malware delivery': #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla , #Formbook or #Guloader
1/4 🧵

OneNote Malware Campaign Insights
Malware List:
1️⃣ Qakbot
2️⃣ Emotet
3️⃣ AgentTesla
4️⃣ IcedID
...
research.loginsoft.com/threat-researc…
#ThreatIntelligence #malware #onenote #infosec

#AgentTesla
-> 335__Shipping_Document_PDF.iso
-> Shipping Document_PDF.exe
de5d30424fc0bd614e697ca4c13836e0

AgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints embee-research.ghost.io/agenttesla-ful…

Our new artwork is generated by AI using malware hashes.

Win32.AgentTesla.14a388b154b55a25c66b1bfef9499b64

🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.

By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.

Thread
[1/11] 👇

#Malware #AgentTesla #Ghidra #Debugging

📩 #Vjw0rm #WSHRAT #Agenttesla
⚰️>jemyy.theworkpc.]com
⚰️>109.248.144.]235:5401
⚰️>139.177.146.165:4848
⚰️>menu@rzr0ngtai.]com
🧰Samples🔽
bazaar.abuse.ch/browse/tag/jem…

Potential-IOCs sourced from #QuasarRat , #Amadey , #SnakeKeylogger , and #AgentTesla samples:

-api.rest7.com
-ipinfo.io
-ip-api.com
-trackip.net
-icanhazip.com
-api.2ip.ua
-api.ipify.org

[2:3]

virustotal.com/gui/file/db682…

#AgentTesla

reecDeep MalwareHunterTeam Malware Patrol ExecuteMalware JAMESWT James Gianni Amato TG Soft Myrtus proxylife 0xToxin🕷️ Thanks for sharing reecDeep. Pivoting around seems to lead to AgentTesla.. could there be some overlap?

RussianPanda 🐼 🇺🇦 Gi7w0rm James proxylife 0xToxin🕷️ #AgentTesla Pretty basic from the looks of it. Using a Telegram API for the C2.

tria.ge/230524-wfs58se…

d4rk3r Hey there! There is actually hex reading/writing codes contained on signature analysis module also resource checker module is detect and carve possible PE files from .NET malware samples such as AgentTesla and similar family samples.

Look, some brands are going to create incredible content for social media. They have budget, they have a big team, they have the resources, they have hired agencies.

Don't compare your work as a single social media manager to a multi-billion dollar brand. You're doing great.

It's not social media. It's social money. We have the tools you need to turn your followers into your business. uixtv.com #freelance #gig #business #workfromhome

#AgentTesla targeting 🇵🇱 in via malspam attachments:

Gz->vbs->powershell script dropping payload from:
s://tajvand.com/dgwMbIMr64.bin

Exfil through FTP: ftp[.]riodancestudio[.]com[.]au

CERT Orange Polska CSIRT KNF Mikhail Kasimov Kili JAMESWT James reecDeep

Sorry, I'm Late...
ahteestore.com/collections/ca…
#cats

proxylife DGSecNet - [email protected] DIANColombia Gi7w0rm JAMESWT James RussianPanda 🐼 🇺🇦 Germán Fernández Aaron Jornet reecDeep m4n0w4r Ankit Anubhav Interesting, can't recall BlindEagle were using AgentTesla, might be some kind of loader service they're both using?

RussianPanda 🐼 🇺🇦 Gi7w0rm proxylife 0xToxin🕷️ James I know this is old new but this bad actor nuked all their other #AgentTesla payloads and has just one called blessed. Best thing is the only data in the files is there own. They tested on their machine. The payload was created 30seconds before I found it.

'AgentTesla - DeepAnalysis _Stage2'
Capabilities_ > ⚠️⚠️⚠️

✴️ Persistence
✴️SMTP creds + Attacker Location
✴️Browsers + Cookies
✴️VPN / VNC / FTP
✴️Checking External IP [API]
✴️HKEYS + Windows Credentials
✴️KeyStrokes + Email Protocols

IOC's:
tinyurl.com/5n7ychur

TOP10 last week's threats by uploads 📊

⬆️ #Redline 245 (238)
⬆️ #Njrat 138 (138)
⬇️ #Remcos 94 (127)
⬆️ #Asyncrat 73 (51)
⬆️ #Raccoon 55 (54)
⬇️ #Orcus 52 (77)
⬆️ #Vidar 49 (41)
⬆️ #Dcrat 48 (17)
⬆️ #Arkei 46 (33)
⬆️ #Agenttesla 46 (27)

any.run/malware-trends…

#AgentTesla #Malware targeting #italy using fake #DHL document as a lure.

📨exfiltration of stolen data via SMTP:
🔥
clairemoon444[@[yandex,com
info[@[grasscarpet,ae
mail,grasscarpet,ae

#infosec urity #infosec #CyberSecurity #cybercrime

RussianPanda 🐼 🇺🇦 Gi7w0rm proxylife 0xToxin🕷️
James Your huckleberry added a few new payloads today. Couple #AgentTesla and a #AsyncRat .
They moved away from the 'IP/file' style of the originals and are using API's on the new ones.tria.ge/230605-xj4a2sa…

RussianPanda 🐼 🇺🇦 James Gi7w0rm proxylife 0xToxin🕷️ Some #AgentTesla , nothing to crazy.

tria.ge/230614-z1r1fsd…