Rewterz

Rewterz Threat Alert – Malicious URLs – Covid-19 Themed

July 3, 2020
Rewterz

Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations

July 6, 2020

Rewterz Threat Alert – Agent Tesla Malware – IOCs

Severity

Medium

Analysis Summary

AgentTesla is known for stealing data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. Agent Tesla collects personal information from the victim’s machine, steals data from the victim’s clipboard, can log keystrokes, capture screenshots and access the victim’s webcam.It can kill running analysis processes and AV software. The spyware also performs basic actions to check whether it is running on a virtual machine or in debug mode, in an attempt to hide its capabilities and actions from researchers. All the data it obtains is sent in encrypted form via SMTP protocol.

Impact

  • Information theft 
  • Exposure of sensitive data

Indicators of Compromise

URL

  • http[:]//hasteemart[.]com/DanishCrownFoods_EXPORTQuoteFeb032020[.]exe
  • http[:]//hasteemart[.]com/DanishCrown_FoodsAS_OrderQuote08022020[.]exe
  • http[:]//198[.]12[.]66[.]108/oGmlNoASGdE8T0A[.]exe
  • http[:]//192[.]3[.]31[.]220/646rEJfSIwVXtF3[.]exe
  • http[:]//198[.]12[.]66[.]110/MfXLMob2DXxq7MS[.]exe

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your enivronment.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.