Fichier Kimligi
| SHA256 | c031a1a29441d679585a0bb2d2fdb9489284dab44e6cdd7f49567aa61d6033ac |
|---|---|
| Yem Adi | Advice-copy3006202600112.exe (danismanlik belgesi yemi) |
| Taille | 453.264 byte |
| Dis Katman | NSIS (Nullsoft Scriptable Install System) installer |
SMTP Exfiltrasyon Email IOC
SMTP Alici: Stoppulsen@Baadflygtningene.Bo Domain: Baadflygtningene.Bo TLD: .bo (Bolivya)
Bu email adresi, AgentTesla'nin calan verileri (sifre, keylog, screenshot) gonderdigi SMTP kutusunu temsil etmektedir. "Baadflygtningene" Danca "kotu multeciler" anlamina gelir; sosyal muhendislik amaciyla kurban ilgisini cekebilecek semantik bir isim sectigi anlasilmaktadir.
Agent Tesla SMTP Exfiltrasyon Architecturesi
- AgentTesla V3, calan verileri dogrudan SMTP uzerinden saldirganin kutusuna gonderir
- SMTP sunucusu, port ve sifre de inner PE katmaninda sifrelenmis olarak bulunur
- Her kurban bildirimi email subject'inde OS, IP ve hostname bilgisi icerir
IOC
| SHA256 | c031a1a29441d679585a0bb2d2fdb9489284dab44e6cdd7f49567aa61d6033ac |
|---|---|
| SMTP Email | Stoppulsen@Baadflygtningene.Bo |
| Domain | Baadflygtningene.Bo |
| Yem | Advice-copy3006202600112.exe |
AgentTesla — Profil du malware
AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.
Détails techniques
C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot
Attribution / Acteur de la menace
Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.
Capacités et comportement
Liste IOC (1 indicateurs)
# SHA256
c031a1a29441d679585a0bb2d2fdb9489284dab44e6cdd7f49567aa61d6033ac
| Type | Valeur | Note |
|---|---|---|
| sha256 | c031a1a29441d679585a0bb2d2fdb9489284dab44e6cdd7f49567aa61d6033ac |
Serveurs C2 (8 serveurs enregistrés pour cette famille)
| Adresse | Type | Port | Protocole | Statut | Pays |
|---|---|---|---|---|---|
| digicert.com | domain | — | TCP | active | — |
| stem.ru | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
| dublincore.org | domain | — | TCP | active | — |
| googleapis.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| freightfacilitators.com | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.