Request a Demo
Rewterz
Rewterz Threat Alert – Ttint – An IoT RAT Exploiting Two 0-Days
October 9, 2020
Rewterz
Rewterz Threat Alert – MontysThree; Industrial Espionage with Steganography
October 9, 2020

Rewterz Threat Alert – Agent Tesla and IcedID banking Trojan Malspam Campaigns

Severity

Medium

Analysis Summary

Two new malspam campaigns have been detected through which the Agent Tesla malware and the IcedID banking trojan are being distributed. In the first campaign, an e-mail message was detected whose sender pretends to be an Italian company, addressed to Italian users. The theme of this email is a false sending of a purchase order; a .DAT file that contains a malicious .EXE executable file associated with the Agent Tesla malware. It delivers Agent Tesla. 

The second campaign is meant to distribute the IcedID banking trojan. The email is almost devoid of text, suggesting to unzip the attached zip archive (“request.zip”). The archive contains a text document, “particulars_010.20.doc”, which starts the download of the second-stage of the malware through an AutoOpen macro from a domain that appears to be generated randomly. The second-stage, which appears as a file with the extension .cab (or .pdf in other cases), would hide inside a malicious DLL, containing the functionality of the malware.

IceID.png

Impact

  • Information theft
  • Exposure of Sensitive Data
  • Financial Theft

Indicators of Compromise

Domain Name

  • o7s3dv4[.]com

Filename

  • particulars_010[.]20[.]doc

From Email

  • salma[.]moustafa@asass[.]net

MD5

  • 2bddf5266cce123604b0c5ee30717959
  • e7821a93cadcd3d18ad68d1edad4753e
  • a3a0a6cc5cd9044500e0c4eb42095309
  • f735fa3e21883fef1bb8b46b763c167a
  • 2140ca6858e34458ee38a685921a66d5
  • c66df32508807a6c340ac15c0e0ca47e
  • 8ace1dd28ec4d225c08a3e6b6ff1cae2

SHA-256

  • 3c42cb2a57a34b90d18ba754a6229cc52a57dbe5c4b7865a623c6c24787d14af
  • 85b1b4107472284d2e997f008c6cc6f47241b7ef82263f4ffa4504a622136c27
  • c252c80acdc3934df7cdc15d69271c47106ff0f6427c8cb0147eda09fba15daf
  • 0416aa664ff36d93cecc4afdef509e862886247272ee902f297d658dfe1237eb
  • 772370ff4d5de5cebea394f3675112641f7ae5fe69bd2320594ce69e98a1f171
  • 6492cbbf580dc9d37b5d0f91fb8f6425e87b509e2c8b0ddf4ea1632c1acdd32c
  • fcd74a77ddfa71cfa4fe2cbc299d04a79d7e69f0d7ae3d80e9ef83e2b4616bee

SHA1

  • 45f820b5e20883242a24108c12a4169c99f365d5
  • 1f2b4a9c9ef88627329e4261080b9a6ece6fec29
  • 365673a84a4b71ac9a00bcb57d93e1d1454328ce
  • 96c0ba7fffd38dcce6cef0fc4f77692bb39e952b
  • db335b819f8225538ea9cb967da48eba745d536b
  • 2812770ab4a0d7c52820cc54a655981f843d2381
  • a284327bfa89c43b3dae427165ed1bd5a7fe494c

URL

  • http[:]//o7s3dv4[.]com/gosy/dyxyd[.]php?l=zuhag6[.]cab

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download email attachments coming from unknown senders.