BradMar 19

#CVE_2017_11882 or some similar BS from an Excel file attached to a message sent to my blog email address. Final malware seems to be an AgentTesla/SnakeKeyLogger/VIP Recovery variant. Sample at:

https://bazaar.abuse.ch/sample/263b3f3c5e91c8fe858803ceae4b268af40536487828cf980e8d6e4d793648c0/

Calls for follow-up files at:

- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/wealtt/nerdfwiqtwqhdgfrwt6fntdwrgonht.js

- hxxp[:]//91.92.242[.]3:7777/noesisllc.online/wealt1818/ENCRYPT.Ps1

Samples of these follow-up files at:

- https://bazaar.abuse.ch/sample/c47d92db7ed3cc5fdbb3296f3f4ab328cd8b66ac079f5bf658d4f2fa5f8a6af7/

- https://bazaar.abuse.ch/sample/dd737dea20792860147b53679f68e964778a2b47e98d7187ccd4ead0127aec76/

Show threadJames_inthe_box

@malware_traffic Confirming #snake keylogger...

Bot telegram token and email exfil host:
8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA
hosting2\.ro\.hostsailor\.com

Mar 19 at 8:35pmWeb
Show threadBradMar 19
@james_inthe_box