skip to Main Content

Cybercrime, new Agent Tesla campaign via Spain

Malware Hunter JAMESWT Technical Analysis

Cybercrime, new Agent Tesla campaign via Spain. The email gz attachment contains an exe. This, if opened, triggers the malware infection. Stolen data is exfiltrated via Telegram

Agent Tesla is hiding behind a fake invoice from a company in Spain. The email contains a compressed attachment in gz format.

Inside there is an executable that, if opened, activates the malware infection. Once inside the computer, it steals information and exfilters it via Telegram.

Agent Tesla, in fact, through the keylogger function, is able to acquire everything the user types. Furthermore, it can steal browser emails and credentials and take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating existing ones.

The IOC

New_#P042221_pdf.gz
SHA256 hash: 6321b17c9261eb05709edbe27f29999d3530442c3c9333e5d968f6e082e1208d
SHA3-384 hash: ff0b26741b33510905d7b0042794832f3768e715e6b0c62d510dfe2b6f2e223a7e0579ced929783856421ccb672695a5
SHA1 hash: 25f3bd4cdbd6d659b93ac3bc45fb96efa827d941
MD5 hash: 98957e155db83c9f8b5f6138e0a79572
New_#P042221_pdf.exe
SHA256 hash: a88ea560913609c2c204d1e81577dc315531e5a55e82640a915cdc7cf3f9f729
SHA3-384 hash: cbec11da936d52bcebd5ab685d640f5e56b714e62273b311c6e39e5f8295cfd42a629c42a74478698eeed8bf025462f5
SHA1 hash: 009049855bbde3726bd3aab197187454d94fc72d
MD5 hash: 06c0b6d78c0376f376ca3f72a2534a1e
C2
hXXps://api.telegram.org/bot1625899104:AAFoYCcpRCw9bdt6Gv616DNv6w0gi-NXLPk/sendDocument
Back To Top