#AgentTesla
-> 335__Shipping_Document_PDF.iso
-> Shipping Document_PDF.exe
de5d30424fc0bd614e697ca4c13836e0
🚨Malware Tips 🚨 - Resolving API Hashes Using Conditional Breakpoints.
By adding breakpoints and log conditions to a function that resolves api hashes, it's possible to quickly resolve api hashes in bulk.
Thread
[1/11] 👇
#Malware #AgentTesla #Ghidra #Debugging
Potential-IOCs sourced from #QuasarRat , #Amadey , #SnakeKeylogger , and #AgentTesla samples:
-api.rest7.com
-ipinfo.io
-ip-api.com
-trackip.net
-icanhazip.com
-api.2ip.ua
-api.ipify.org
[2:3]
reecDeep MalwareHunterTeam Malware Patrol ExecuteMalware JAMESWT James Gianni Amato TG Soft Myrtus proxylife 0xToxin🕷️ Thanks for sharing reecDeep. Pivoting around seems to lead to AgentTesla.. could there be some overlap?
RussianPanda 🐼 🇺🇦 Gi7w0rm James proxylife 0xToxin🕷️ #AgentTesla Pretty basic from the looks of it. Using a Telegram API for the C2.
tria.ge/230524-wfs58se…
It's not social media. It's social money. We have the tools you need to turn your followers into your business. uixtv.com #freelance #gig #business #workfromhome
#AgentTesla targeting 🇵🇱 in via malspam attachments:
Gz->vbs->powershell script dropping payload from:
s://tajvand.com/dgwMbIMr64.bin
Exfil through FTP: ftp[.]riodancestudio[.]com[.]au
CERT Orange Polska CSIRT KNF Mikhail Kasimov Kili JAMESWT James reecDeep
proxylife DGSecNet - [email protected] DIANColombia Gi7w0rm JAMESWT James RussianPanda 🐼 🇺🇦 Germán Fernández Aaron Jornet reecDeep m4n0w4r Ankit Anubhav Interesting, can't recall BlindEagle were using AgentTesla, might be some kind of loader service they're both using?
RussianPanda 🐼 🇺🇦 Gi7w0rm proxylife 0xToxin🕷️ James I know this is old new but this bad actor nuked all their other #AgentTesla payloads and has just one called blessed. Best thing is the only data in the files is there own. They tested on their machine. The payload was created 30seconds before I found it.
#AgentTesla #Malware targeting #italy using fake #DHL document as a lure.
📨exfiltration of stolen data via SMTP:
🔥
clairemoon444[@[yandex,com
info[@[grasscarpet,ae
mail,grasscarpet,ae
#infosec urity #infosec #CyberSecurity #cybercrime
RussianPanda 🐼 🇺🇦 James Gi7w0rm proxylife 0xToxin🕷️ Some #AgentTesla , nothing to crazy.
tria.ge/230614-z1r1fsd…